Providing services at the edge of a network using selected virtual tunnel interfaces

ABSTRACT

For traffic exiting a logical network through a particular VTI, some embodiments perform a service classification operation for different data messages to identify different VTIs that connect the edge forwarding element to a service node to provide services required by the data messages. Each data message, in some embodiments, is then forwarded to the identified VTI to receive the required service. The identified VTI does not perform a service classification operation. The service node then returns the serviced data message to the edge forwarding element. In some embodiments, the identified VTI is not configured to perform the service classification operation and is instead configured to mark all traffic directed to the edge forwarding element as having been serviced. The marked serviced data message is received at the edge forwarding element and forwarded to a destination of the data message through the particular VTI.

BACKGROUND

Datacenters today provide edge services for multiple different types oftraffic. Edge services for different types of traffic have, in the past,used different mechanisms to perform service classification. New usecases for edge services require yet more mechanisms for providing edgeservices. In order to simplify the provision of edge services for themultiple types of traffic there is a need in the art for a new approachto the provision of edge services.

BRIEF SUMMARY

Some virtualized computing environments provide edge forwarding elementsthat sit between an external network and internal networks (e.g.,logical networks). The virtualized computing environment, in someembodiments, provides additional edge forwarding elements (and edgeservices) for subnetworks within the virtualized computing environment.For example, different logical networks, each with their own edge devicemay be implemented within a datacenter (e.g., by a provider network)that provides an edge forwarding element between an external network andthe networks internal to the datacenter. Each logical network (e.g.,tenant network, or provider network) includes at least one edgeforwarding element, in some embodiments, that executes on either an edgehost or as an edge compute node to provide the logical network withaccess to an external network and vice versa. In some embodiments, theedge forwarding elements provide a set of services (e.g., edge services)for traffic processed by the edge forwarding elements.

Some embodiments provide novel methods for providing different types ofservices for a logical network associated with an edge forwardingelement acting between the logical network and an external network. Theedge forwarding element receives data messages for forwarding andperforms a service classification operation to select a set of servicesof a particular type for the data message. The particular type ofservice is one of multiple different types of services that usedifferent transport mechanisms to forward the data to a set of servicenodes (e.g., service virtual machines, or service appliances, etc.) thatprovide the service. The edge forwarding element then receives the datamessage after the selected set of services has been performed andperforms a forwarding operation to forward the data message. In someembodiments, the method is also performed by edge forwarding elementsthat are at the edges of logical network segments within the logicalnetwork.

The transport mechanisms, in some embodiments, include a logical serviceforwarding plane (implemented as a logical service forwarding element)that connects the edge forwarding element to a set of service nodes thateach provide a service in the set of services. In selecting the set ofservices, the service classification operation of some embodimentsidentifies a chain of multiple service operations that has to beperformed on the data message. The service classification operation, insome embodiments, includes selecting, for the identified chain ofservices, a service path to provide the multiple services. Afterselecting the service path, the data message is sent along the selectedservice path to have the services provided. Once the services have beenprovided, the data message is returned to the edge forwarding element bya last service node in the service path that performs the last serviceoperation and the edge forwarding element performs next hop forwardingon the data message or a forwarding operation to forward the datamessage.

Some embodiments provide stateful services in the chain of servicesidentified for some data messages. To support stateful services inservice chains, some embodiments generate connection tracking records ina connection tracker storage used by the edge forwarding element totrack service insertion decisions made for multiple data message flowsrequiring multiple different sets of services (i.e., service chains).The edge forwarding element (e.g., a router) receives a data message ata particular interface of the edge forwarding element that is traversingthe edge forwarding element in a forward direction between two machines.The data message, in some embodiments, is a first data message in aforward data message flow (e.g., a set of data messages sharing a sameset of attributes) that together with a reverse data message flowbetween the two machines makes up a bidirectional flow.

The edge forwarding element identifies (1) a set of stateful servicesfor the received data message and (2) a next hop associated with theidentified set of stateful services in the forward direction and a nexthop associated with the identified set of stateful services in thereverse direction. Based on the identified set of services and the nexthops for the forward and reverse directions, the edge forwarding elementgenerates and stores first and second connection tracking records forthe forward and reverse data message flows, respectively. The first andsecond connection tracking records include the next hop identified forthe forward and reverse direction data message flows, respectively. Theedge forwarding element forwards the received data message to the nexthop identified for the forward direction and, for subsequent datamessages of the forward and reverse data message flows received by theedge forwarding element, uses the stored connection tracking records toidentify the next hop for forwarding.

Some embodiments configure the edge forwarding element to performservice insertion operations to identify stateful services to performfor data messages received for forwarding by the edge forwarding elementat multiple virtual interfaces of the edge forwarding element. Theservice insertion operation, in some embodiments, includes applying aset of service insertion rules. The service insertion rules (1) specifya set of criteria and a corresponding action to take for data messagesmatching the criteria (e.g., a redirection action and a redirectiondestination) and (2) are associated with a set of interfaces to whichthe service insertion rules are applied. In some embodiments, the actionis specified using a universally unique identifier (UUID) that is thenused as a matching criteria for a subsequent policy lookup thatidentifies a type of service insertion and a set of next hop data. Theedge forwarding element is configured to apply, for each virtualinterface, a set of relevant service insertion rules to data messagesreceived at the virtual interface (i.e., to make a service insertiondecision).

As described above, the edge forwarding element is configured with aconnection tracker storage that stores connection tracking records fordata message flows based on the result of a service insertion operationperformed for a first data message in the data message flows. In someembodiments, the connection tracker storage is a universal storage forall interfaces of the edge forwarding element and each connectiontracking record includes an identifier of a service insertion rule thatis used to identify the set of stateful services and the next hop for adata message flow corresponding to the connection tracking record.

The service insertion operation, in some embodiments, includes a firstlookup in the connection tracker storage to identify a connectiontracking record for a data message received at an interface if itexists. If the connection tracking record exists, all connectiontracking data records that include a set of data message attributes(e.g., a data message flow identifier) that match data messageattributes of the received data message are identified as a set ofpossible connection records for the data message. Based on the serviceinsertion rule identifiers and an interface on which the data messagewas received, a connection tracking record in the set of possibleconnection records storing an identifier for a service insertion ruleapplied to the interface is identified as storing the action for thereceived data message. If a connection tracking record for the receiveddata message is identified, the edge forwarding element forwards thedata message based on the action stored in the connection trackingrecord. If a connection tracking record is not identified (e.g., thedata message is a first data message in a data message flow), the edgeforwarding element identifies the action for the data message using theservice insertion rules and generates connection tracking record andstores the connection tracking record in the connection tracker storage.

Some embodiments provide a method of performing stateful services thatkeeps track of changes to states of service nodes to update connectiontracker records when necessary. At least one global state valueindicating a state of the service nodes is maintained at the edgedevice. In some embodiments, different global state values aremaintained for service chain service nodes (SCSNs) and layer 2bump-in-the-wire service nodes (L2 SNs). The method generates a recordin a connection tracker storage including the current global state valueas a flow state value for a first data message in a data message flow.Each time a data message is received for the data message flow, thestored state value (i.e., a flow state value) is compared to therelevant global state value (e.g., SCSN state value or L2 SN statevalue) to determine if the stored action may have been updated.

After a change in the global state value relevant to the flow, theglobal state value and the flow state value do not match and the methodexamines a flow programming table to determine if the flow has beenaffected by the flow programming instruction(s) that caused the globalstate value to change (e.g., increment). The instructions stored in theflow programming table, in some embodiments, include a data message flowidentifier and an updated action (e.g., drop, allow, update selectedservice path, update a next hop address). If the data message flowidentifiers stored in the flow programming table do not match thecurrent data message flow identifier, the flow state value is updated tothe current global state value and the action stored in the connectiontracker record is used to process the data message. However, if at leastone of the data message flow identifiers stored in the flow programmingtable matches the current data message flow identifier, the flow statevalue is updated to the current global state value and the action storedin the connection tracker record is updated to reflect the execution ofthe instructions with a matching flow identifier stored in the flowprogramming table and the updated action is used to process the datamessage.

An edge forwarding element is configured, in some embodiments, toprovide services using the service logical forwarding element as atransport mechanism. The edge forwarding element is configured toconnect different sets of virtual interfaces of the edge forwardingelement to different network elements of the logical network usingdifferent transport mechanisms. For example, a first set of virtualinterfaces is configured to connect to a set of forwarding elementsinternal to the logical network using a set of logical forwardingelements connecting source and destination machines of traffic for thelogical network. Traffic received on the first set of interfaces isforwarded to a next hop towards the destination by the edge forwardingelement without being returned to the forwarding element from which itwas received, in some embodiments. A second set of virtual interfaces isconfigured to connect to a set of service nodes to provide services fordata messages received at the edge forwarding element.

Each connection made for the second set of virtual interfaces may usedifferent transport mechanisms such as a service logical forwardingelement, a tunneling mechanism, and a bump-in-the-wire mechanism, and insome embodiments, some or all of the transport mechanisms are used toprovide data messages to the service nodes. Each virtual interface in athird set of virtual interfaces is configured to connect to a servicelogical forwarding element connecting the edge forwarding element to atleast one internal forwarding element in the set of internal forwardingelements. The virtual interfaces are configured to be used (1) toreceive data messages from the at least one internal forwarding elementto be provided a service by at least one service node in the set ofservice nodes and (2) to return the serviced data message to theinternal forwarding element network.

Some embodiments facilitate the provision of a service reachable at avirtual internet protocol (VIP) address. The VIP address is used byclients to access a set of service nodes in the logical network. In someembodiments, data messages from client machines to the VIP are directedto an edge forwarding element at which the data messages are redirectedto a load balancer that load balances among the set of service nodes toselect a service node to provide a service requested by the clientmachine. The load balancer, in some embodiments, does not change thesource IP address of the data message received from the client machineso that the service node receives a data message to be serviced thatidentifies the client machine IP address as a source IP address. Theservice node services the data message and sends the serviced datamessage to the client machine using the IP address of the service nodeas a source IP address and the IP address of the client node as thedestination IP address. Because the client sent the original address tothe VIP address, the client will not recognize the source IP address ofthe serviced data message as being a response to the request sent to theVIP address and the serviced data message will not be processedappropriately (e.g., it will be dropped, or not associated with theoriginal request).

Facilitating the provision of the service, in some embodiments, includesreturning the serviced data message to the load balancer to track thestate of the connection using the service logical forwarding element. Touse the service logical forwarding element, some embodiments configurean egress data path of the service nodes to intercept the serviced datamessage before being forwarded to a logical forwarding element in thedatapath from the client to the service node, and determine if theserviced data message requires routing by the routing service providedas a service by the edge forwarding element. If the data messagerequires routing by the routing service (e.g., for serviced datamessages), the serviced data message is forwarded to the edge forwardingelement over the service logical forwarding element. In someembodiments, the serviced data message is provided to the edgeforwarding element along with the VIP associated with the service, inother embodiments, the edge forwarding element determines the VIP basedon a port used to send the data message over the service logicalforwarding element. The VIP is used by the edge forwarding element toidentify the load balancer associated with the serviced data message.The serviced data message is then forwarded to the load balancer for theload balancer to maintain state information for the connection to whichthe data message belongs and modify the data message to identify the VIPas the source address for forwarding to the client.

The transport mechanisms, in some embodiments, include a tunnelingmechanism (e.g. a virtual private network (VPN), internet protocolsecurity (IPSec), etc.) that connects the edge forwarding element to atleast one service node through a corresponding set of virtual tunnelinterfaces (VTIs). In addition to the VTIs used to connect the edgeforwarding element to the service nodes, the edge forwarding elementuses other VTIs to connect to other network elements for which itprovides forwarding operations. At least one VTI used to connect theedge forwarding element to other (i.e., non-service node) networkelements is identified to perform a service classification operation andis configured to perform the service classification operation for datamessages received at the VTI for forwarding. The VTIs connecting theedge forwarding element to the service nodes, in some embodiments, arenot configured to perform a service classification operation and areinstead configured to mark data messages returned to the edge forwardingelement as having been serviced. In other embodiments, VTIs connectingthe edge forwarding element to the service nodes are configured toperform limited service classification operations using a single defaultrule that is applied at the VTI that marks data messages returned to theedge forwarding element as having been serviced.

For traffic exiting a logical network through a particular VTI, someembodiments perform a service classification operation for differentdata messages to identify different VTIs that connect the edgeforwarding element to a service node to provide services required by thedata messages. Each data message, in some embodiments, is then forwardedto the identified VTI to receive the required service (e.g., from theservice node connected to the edge forwarding element through the VTI).The identified VTI does not perform a service classification operationand merely allows the data message to reach the service node. Theservice node then returns the serviced data message to the edgeforwarding element. In some embodiments, the VTI is not configured toperform the service classification operation and is instead configuredto mark all traffic directed to the edge forwarding element from theservice node as having been serviced. The marked serviced data messageis then received at the edge forwarding element and is forwarded to adestination of the data message through the particular VTI. In someembodiments, the particular VTI does not perform additional serviceinsertion operations because the data message is marked as having beenserviced.

The preceding Summary is intended to serve as a brief introduction tosome embodiments of the invention. It is not meant to be an introductionor overview of all inventive subject matter disclosed in this document.The Detailed Description that follows and the Drawings that are referredto in the Detailed Description will further describe the embodimentsdescribed in the Summary as well as other embodiments. Accordingly, tounderstand all the embodiments described by this document, a full reviewof the Summary, Detailed Description, the Drawings, and the Claims isneeded. Moreover, the claimed subject matters are not to be limited bythe illustrative details in the Summary, Detailed Description, and theDrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features of the invention are set forth in the appendedclaims. However, for purposes of explanation, several embodiments of theinvention are set forth in the following figures.

FIG. 1 conceptually illustrates a process performed by the edge deviceto perform the service classification operation to select a set ofservices of a particular type for the data message and identifyforwarding information for the data message.

FIG. 2 conceptually illustrates a process for identifying whether aconnection tracker record is stored in the connection tracker storageused in some embodiments.

FIG. 3 conceptually illustrates a process for forwarding data messagesat the edge forwarding component that was provided the service type andforwarding information by the process of FIG. 1.

FIG. 4 conceptually illustrates a logical network with two tiers oflogical routers, an availability zone logical gateway router.

FIG. 5 illustrates one possible management plane view of the logicalnetwork in which both the AZG and VPCG include a centralized component.

FIG. 6 conceptually illustrates a physical implementation of themanagement plane constructs for a two-tiered logical network shown inFIG. 5, in which the VPCG and the AZG both include SRs as well as a DR.

FIG. 7 illustrates logical processing operations for availability zone(T0) logical router components that are included in an edge datapathexecuted by an edge device for data messages.

FIG. 8 illustrates a TX SR acting as a source for traffic on a logicalservice forwarding element.

FIG. 9 illustrates a service path including two service nodes accessedby the TX SR through a LSFE.

FIG. 10 illustrates a second embodiment including two edge devices andexecuting an availability zone gateway datapath and virtual privatecloud gateway datapath respectively.

FIG. 11 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules called by a servicerouter at either T0 or T1 for a first data message in a data messageflow that requires services from a set of service nodes that define aservice path.

FIG. 12 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules called by a servicerouter at either T0 or for a data message in a data message flow thatrequires services from a set of service nodes that define a servicepath.

FIG. 13 conceptually illustrates a process for validating or updating anidentified connection tracker record for a data message flow.

FIG. 14 illustrates sets of connection tracker records in a connectiontracker storage and an exemplary sets of flow programming records in aflow programming table.

FIG. 15 illustrates an object data model of some embodiments.

FIG. 16 conceptually illustrates several operations that the networkmanagers and controllers perform in some embodiments to define rules forservice insertion, next service hop forwarding, and service processing.

FIG. 17 conceptually illustrates a process for configuring logicalforwarding elements to connect to logical service forwarding planes.

FIG. 18 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules called by a servicerouter at either T0 or T1 for a first data message in a data messageflow that requires services from a service node reachable through atunneling mechanism.

FIG. 19 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules called by a servicerouter at either T0 or T1 for a first data message in a data messageflow that requires services from a service node reachable through a L2BIW mechanism.

FIGS. 20A-B conceptually illustrate a data message being sent from acompute node in a logical network (e.g., logical network A) implementedin a cloud environment to a compute node in an external datacenter.

FIGS. 21A-B conceptually illustrate a data message being sent from acompute node in an external datacenter to a compute node in a logicalnetwork implemented in a cloud environment.

FIG. 22 conceptually illustrates a first method for providing servicesfor data messages at an uplink interface in a set of uplink interfaces.

FIG. 23 conceptually illustrates a second method for providing servicesfor data messages at an uplink interface in a set of uplink interfaces.

FIG. 24 conceptually illustrates a logical network that provides serviceclassification operations at multiple routers of the logical network.

FIG. 25 conceptually illustrates an edge forwarding element connected toservice nodes using multiple transport mechanisms.

FIG. 26 illustrates a logical network including three VPC servicerouters 2630 belonging to two different tenants.

FIG. 27 illustrates a logical network including three VPC servicerouters 2630 belonging to three different tenants.

FIG. 28 conceptually illustrates a process for accessing servicesprovided at an availability zone edge forwarding element from a VPC edgeforwarding element.

FIG. 29 conceptually illustrates a process for the availability zoneservice router to perform when it receives a data message from the VPCservice router as part of process.

FIG. 30 conceptually illustrates a VPC service router processing a datamessage sent from a first compute node to a second compute node in asecond network segment served by a second VPC service router.

FIG. 31 conceptually illustrates a VPC service router processing a datamessage sent from an external network to a compute node.

FIGS. 32A-B illustrates a set of data messages for providing a serviceaddressable at a VIP to a client served by a same virtual private cloudgateway (e.g., a virtual private cloud gateway service and distributedrouter).

FIG. 33 conceptually illustrates an electronic system with which someembodiments of the invention are implemented.

DETAILED DESCRIPTION

In the following detailed description of the invention, numerousdetails, examples, and embodiments of the invention are set forth anddescribed. However, it will be clear and apparent to one skilled in theart that the invention is not limited to the embodiments set forth andthat the invention may be practiced without some of the specific detailsand examples discussed.

Some virtualized computing environments/logical networks provide edgeforwarding elements that sit between an external network and internalnetworks (e.g., logical networks). The virtualized computingenvironment, in some embodiments, provides additional edge forwardingelements (or edge services) for subnetworks within the virtualizedcomputing environment. For example, different logical networks, eachwith their own edge device may be implemented within a datacenter (e.g.,by a provider network) that provides an edge forwarding element betweenan external network and the networks internal to the datacenter. Eachlogical network (e.g., tenant network, or provider network) includes atleast one edge forwarding elements, in some embodiments, that executesin either an edge host or as an edge compute node to provide the logicalnetwork with access to an external network and vice versa. In someembodiments, the edge forwarding elements provide a set of services(e.g., middlebox services) for traffic processed by the edge forwardingelements.

As used in this document, data messages refer to a collection of bits ina particular format sent across a network. One of ordinary skill in theart will recognize that the term data message is used in this documentto refer to various formatted collections of bits that are sent across anetwork. The formatting of these bits can be specified by standardizedprotocols or non-standardized protocols. Examples of data messagesfollowing standardized protocols include Ethernet frames, IP packets,TCP segments, UDP datagrams, etc. Also, as used in this document,references to L2, L3, L4, and L7 layers (or layer 2, layer 3, layer 4,and layer 7) are references respectively to the second data link layer,the third network layer, the fourth transport layer, and the seventhapplication layer of the OSI (Open System Interconnection) layer model.

Also, in this example, each logical forwarding element is a distributedforwarding element that is implemented by configuring multiple softwareforwarding elements (SFEs) (i.e., managed forwarding elements) onmultiple host computers. To do this, each SFE or a module associatedwith the SFE in some embodiments is configured to encapsulate the datamessages of the LFE with an overlay network header that contains avirtual network identifier (VNI) associated with the overlay network. Assuch, the LFEs are said to be overlay network constructs that spanmultiple host computers in the discussion below.

The LFEs also span in some embodiments configured hardware forwardingelements (e.g., top of rack switches). In some embodiments, each LFE isa logical switch that is implemented by configuring multiple softwareswitches (called virtual switches or vswitches) or related modules onmultiple host computers. In other embodiments, the LFEs can be othertypes of forwarding elements (e.g., logical routers), or any combinationof forwarding elements (e.g., logical switches and/or logical routers)that form logical networks or portions thereof. Many examples of LFEs,logical switches, logical routers and logical networks exist today,including those provided by VMware's NSX network and servicevirtualization platform.

Some embodiments provide novel methods for providing different types ofservices for a logical network associated with an edge forwardingelement executed by an edge device acting between the logical networkand an external network. The edge device receives data messages forforwarding and performs a service classification operation to select aset of services of a particular type for the data message. FIG. 1conceptually illustrates a process 100 performed by the edge device toperform the service classification operation to select a set of servicesof a particular type for the data message and identify forwardinginformation for the data message.

In some embodiments, the process is performed as part of an edgedatapath that, for data messages coming in to the network precedes arouting operation. The process, in some embodiments, is performed by anetwork interface card (MC) that is designed or programmed to performthe service classification operation. In some embodiments, process 100is additionally, or alternatively, performed by the edge device as partof logical processing at multiple virtual interfaces of a logical edgeforwarding element including a set of virtual tunnel interfaces (VTIs)used to connect the edge forwarding element to compute nodes outside ofthe datacenter. In some embodiments, particular interfaces areconfigured to perform the service classification operation (e.g., bytoggling a service classification tag to “1”) while other interfaces arenot configured to perform a service classification operation (e.g., ifthe service classification tag is set to “0”). In some embodiments, acentralized (e.g. service) router calls a set of service insertion andservice transport layer modules (such as modules in element 735 of FIG.7) as part of a processing pipeline.

Process 100 begins by receiving (at 110) a data message at an interface(e.g., the NIC, a VTI) connected to an external network (e.g., a routeroutside of a datacenter implementing the logical network). The datamessage, in some embodiments, is received from the external network aspart of a communication between a client in the external network and acompute node (e.g. a server, or service node) in the logical network (orvice versa). In some embodiments, the data message is a data messagebetween two compute nodes in the external network that receives servicesat the edge of logical network.

The process 100 continues by determining (at 120) if a connectiontracker record is stored in a connection tracker for the data messageflow to which the data message belongs. FIG. 2 conceptually illustratesa process 200 for identifying whether a connection tracker record isstored in the connection tracker storage used in some embodiments. Thedetermination (at 120) includes determining (at 221) whether theconnection tracker storage stores any records (i.e., entries in theconnection tracker storage) with a flow identifier that matches the flowidentifier of the received data message. The flow identifier, in someembodiments, is a set of header values (e.g., a five-tuple), or a valuegenerated based on a set of header values (e.g., a hash of a set ofheader values). If no matching entries are found, the process 200determines that no connection tracker record is stored for the datamessage and the process 200 produces a “no” at operation 120 of process100. In some embodiments, the connection tracker storage stores multiplepossible matching entries distinguished by the tag indicating the typeof stateful operation that created the connection tracker record (e.g.,a preliminary firewall operation or a service classification operation).In other embodiments, separate connection tracker storages aremaintained for the different types of stateful operations. Theconnection tracker records created by service classification operations,in some embodiments, include a rule identifier associated with a serviceinsertion rule that (1) was applied to a first data message in a datamessage flow and (2) determines the content of the connection trackerrecord.

If at least one matching connection tracker record is found in theconnection tracker storage the process 200 determines (at 222) if a tag(e.g., a flag bit) identifying whether the record was created as part ofa service classification operation or as part of a different statefulprocessing (e.g., an independent firewall operation). In someembodiments, the tag is compared to a value stored in a bufferassociated with the data message that is used during the logicalprocessing to store data beyond that which is normally included in adata message (e.g., context data, interface on which the data messagewas received, etc.). If the tag of the record(s) with a matching flowidentifier does not indicate that it is relevant to a serviceclassification operation, the process 200 produces a “no” at operation120 of process 100.

However, if at least one record includes both a matching flow identifier(at 221) and a matching service classification operation tag (at 222),the process identifies (at 223) interfaces at which a service insertionrule that was used to generate each potentially matching record isapplied (i.e., interfaces in the “applied_to” field of the rule that washit by a first data message of the potentially matching record). In someembodiments, a rule identifier is stored in the connection trackerrecord and the rule identifier is associated with (e.g., points to) adata storage (e.g., a container) that stores a list of interfaces atwhich it is applied. In such embodiments, identifying the interfaces atwhich a rule that was used to generate each potentially matching recordis applied includes identifying the interfaces stored in the datastorage associated with the rule.

The process 200 then determines (at 224) if any interfaces at which arule is applied is the interface at which the current data message wasreceived. In some embodiments, data messages of a same data message floware received at different interfaces based on a load balancing operation(e.g., equal cost multipathing (ECMP)) performed by a forwarding element(e.g., a router) in an external network. Additionally, some datamessages are necessarily received at multiple interfaces at whichdifferent service rules are applied as part of a processing pipeline.For example, a data message that is received at a first VTI at which aparticular service rule applies identifies a second VTI to which toredirect the data message for providing a service required by the datamessage. The second VTI is connected to a service node that provides therequired service and, after the data message is serviced, the datamessage is returned to the second VTI. The flow identifier matches theconnection tracker record for the original data message, but, theservice insertion rule identified in the connection tracker record isnot applied to data messages received at the second VTI (e.g., theapplied_to field of the service insertion rule does not include thesecond VTI) such that the data message is not redirected to the secondVTI to be serviced again.

In some embodiments, the interface is identified by a UUID (e.g., a64-bit or 128-bit identifier) that is too large to store in theconnection tracker record. The UUIDs (or other identifiers) ofinterfaces identified (at 223) are compared to the UUID of the interfaceon which the data message was received which, as described above, isstored in a buffer associated with the data message in some embodiments.If no interfaces at which a rule (of a potentially matching connectiontracker record) is applied match the interface at which the data messagewas received, the process 200 produces a “no” at operation 120 ofprocess 100. If, however, a connection tracker record is associated withthe interface at which the data message was received (i.e., a rule thatwas used to generate the connection tracker record is applied at theinterface at which the data message was received), the process 200produces a “yes” at operation 120 of process 100). In some embodiments,a further state value associated with service node state is checked aswill be discussed in relation to FIG. 13.

If the process 100 determines (at 120) that the data message belongs toa flow that has a connection tracker record, the process 100 retrieves(at 125) a service action based on the information in the connectiontracker record. The service action, in some embodiments, includes aservice type and a set of forwarding information stored in theconnection tracker record. Additional details of retrieving the serviceaction are described in relation to FIGS. 12 and 13. The service type,in some embodiments, identifies the transport mechanism (e.g., logicalservice forwarding element, L3 VPN, or L2 bump-in-the-wire). Theforwarding information, in some embodiments, includes different types offorwarding information for different types of service insertion types.For example, the forwarding information for services provided by aservice chain includes a service path identifier and a next hop MACaddress. Forwarding information for a bump-in-the-wire service node or aservice node connected through a virtual private network include a nexthop IP. The service type and forwarding information is then provided (at170) to the edge forwarding element (e.g., a virtual routing andforwarding (VRF) context of the edge forwarding element) and the processends. In some embodiments, the service type and forwarding informationare provided (at 170) to a transport layer module that redirects thedata message to a service node using a transport mechanism identified bythe service type to a destination identified by the forwardinginformation as described in relation to FIG. 3.

If the process 100 determines (at 120) that no connection trackerstorage entry exists for the received data message for any of thereasons identified in process 200, the process 100 performs (at 130) afirst service classification lookup for a set of service insertion rulesto find a highest priority rule that is defined for data messages with aset of attributes shared by the received data message. The set of datamessage attributes, in some embodiments, in a particular serviceinsertion rule may include any of: header values at layer 2, layer 3, orlayer 4, or a hash value based on any of the header values, and mayinclude wildcard values for certain attributes (e.g., fields) that allowfor any value of the attribute. The service insertion rule, in theembodiment described in relation to process 100, identifies auniversally unique identifier (UUID) that is associated with a set ofactions for data messages matching the service insertion rule. In otherembodiments, service insertion rules include a set of actions (e.g.,redirect to a particular address using a particular transport mechanism)to perform for the received data message. In some embodiments, alowest-priority (e.g., default) rule that applies to all data messages(e.g., that specifies all wildcard values) is included in the set ofservice insertion rules and will be identified if no other serviceinsertion rule with higher priority is identified. The default rule, insome embodiments, will specify a no-op that causes the data message tobe provided to the routing function of the edge forwarding element to berouted without any services being performed on the data message. Inother embodiments, the default rule will cause the data message to beprovided to the routing function along with an indication that the datamessage does not require further service classification operations.

After identifying (at 130) the UUID associated with the serviceinsertion rule (and data message), the process 100 performs (at 140) apolicy lookup based on the UUID identified (at 130) based on the serviceinsertion rule. In some embodiments, the separation of service insertionrule lookup and UUID (policy) lookup is used to simplify the updating ofpolicies for multiple service insertion rules by changing a policyassociated with a single UUID rather than having to update each serviceinsertion rule. The UUID lookup is used to identify a set of forwardinginformation and to identify a particular service type (e.g., a serviceusing a particular transport mechanism). For example, for different datamessages, the UUID lookups may identify any one of a next hop IP address(for a tunneling mechanism), a dummy next hop IP address (for abump-in-the-wire mechanism), or a set of forwarding data including atleast a service path ID, a service index, and a next hop layer 2 (e.g.,MAC) address (for a mechanism using a service logical forwardingelement). In some embodiments, the type of transport mechanism isinferred from the type of forwarding information identified for the datamessage. Some embodiments using a service logical forwarding elementidentify the next hop using a layer 3 (e.g., IP) address. In suchembodiments, it may be necessary to include a service type identifier.

In using the UUID to identify a set of forwarding information and toidentify a particular service type, some embodiments perform a loadbalancing operation to select among multiple next hops to provide anidentified service. In some embodiments, the identified next hops areservice nodes that provide different services. The service nodes, insome embodiments, include at least one of service virtual machines andservice appliances. The load balancing operation, in some embodiments,are based on any of: a round robin mechanism, a load-based selectionoperation (e.g., selecting a service node with a lowest current load),or a distance-based selection operation (e.g., selecting a closestservice node as measured by a selected metric).

After the service action and forwarding information are determined (at140), data message flow identifiers and forwarding information areidentified (at 150) for a reverse direction flow. Data message flowidentifiers for reverse direction flows are, in many cases, are based ona same set of header values as a forward direction data message flowwith source and destination addresses switched. Forwarding informationfor reverse data message flows for certain types of service insertion(i.e., particular types of transport mechanisms) is different forforward direction flows and reverse direction flows. For some types ofservice insertion (i.e., transport mechanisms), the forwardinginformation for a reverse direction flow identifies a next hop for thereverse direction flow that is a last hop for the forward directionflow. For other types of service insertion (e.g., a tunneling mechanism)the reverse direction forwarding information identifies the same nexthop (e.g., the next hop IP address of the tunnel endpoint). In someembodiments, operation 150 is skipped as a connection tracker record forthe reverse direction is not necessary. For example, some rules specifythat they only apply to data messages in a particular direction.

Based on the data message flow identifiers and forwarding informationidentified for the forward and reverse direction flows, a set ofconnection tracker records is generated (at 160) for the forward andreverse direction data message flows with the state information (e.g.,data message identifiers and forwarding information) for the forward andreverse direction data message flows respectively. In some embodiments,generating the connection tracker records includes querying a flowprogramming table for a state value stored in the flow programming tablethat reflects a current state version of a set of service node typesassociated with the service type identified for the data message. Insome embodiments, a flow ID for forward and reverse direction datamessage flows are the same except for a directionality bit thatindicates whether it is a forward or reverse direction data message.

The reverse flow identifier, in some embodiments, is different from areverse flow identifier that would be generated based on the datamessage received in the forward direction. For example, a naïve reversedirection identifier generation operation would switch the source anddestination IP (L3) and MAC (L2) addresses and generate the identifierbased on the switched header values, but if the service node performs aNAT operation, a data message received in the reverse direction wouldgenerate a reverse flow identifier based on the translated address andnot based on the original (forward direction) data message headeraddresses. In some embodiments, the return data message with a differentset of flow identifiers (e.g., header values, etc.) will be considered anew flow and a new connection tracker record for forward and reversedirections of the data message flow associated with the reversedirection data message flow of the original data message.

Additional details about the connection tracker records and flowprogramming table are discussed below in relation to FIG. 14. In someembodiments, after creating the connection tracker records for theforward and reverse direction data message flows, the data message alongwith the forwarding information and service type are provided (at 170)to the component of the edge forwarding element responsible forproviding the data message to the service nodes, to be processed by thecomponent of the edge forwarding element as described below in relationto FIG. 3.

FIG. 3 conceptually illustrates a process 300 for forwarding datamessages at the edge forwarding component that was provided the servicetype and forwarding information by process 100. Process 300, in someembodiments, is performed by an edge forwarding element executing on theedge device. The edge forwarding element, in some embodiments, isexecuted as a virtual machine while in other embodiments the edgeforwarding element is a managed forwarding element (e.g., a virtualrouting and forwarding context) executing on the edge device. In someembodiments, some operations of the process are performed by serviceinsertion layer and service transport layer modules (e.g., elements720-729 of FIG. 7) called by a service (e.g., centralized) router (e.g.,730). Process 300 begins by receiving (at 310) a data message along withservice type and forwarding information for the data message determinedusing, in some embodiments, the service classification operation ofprocess 100.

The process 300 determines (at 320) a service insertion type associatedwith the received data message. In some embodiments, the determinationis made based on the service type information received from the serviceclassification operation. In other embodiments, the determination ismade implicitly based on the type of forwarding information receivedfrom the service classification operation. For example, an IP addressprovided as forwarding information for a particular data message that isfor a virtual tunnel interface (VTI) indicates that the transportmechanism is a tunneling mechanism. Alternatively, a dummy IP addressprovided as the forwarding information indicates that the transportmechanism is a layer 2, bump-in-the-wire mechanism. If the forwardinginformation includes a service path identifier and a next hop MACaddress, the transport mechanism is understood to be a logical serviceforwarding plane for a service chain.

If the process 300 determines (at 320) that the service type uses atunneling transport mechanism, the process 300 identifies (at 332) anegress interface based on an IP address provided by the serviceclassification operation. In some embodiments, the egress interface isidentified by a routing function associated with a service transportlayer module. Based on the identified egress interface, the data messageis provided (at 342) to the VTI which encapsulates the data message fordelivery over a virtual private network (VPN) tunnel to a service nodeto provide the service. In some embodiments, the tunnel uses an internetprotocol security (IPsec) protocol to tunnel the data message to theservice node. In some embodiments using a secure VPN (e.g., IPsec), thedata message is encrypted before being encapsulated for forwarding usingthe tunneling mechanism. In some embodiments, the encryption andencapsulation is performed as part of a datapath of the virtual tunnelinterface used to connect to the service node (e.g., referred to as anL3 service node below).

The encapsulated (and encrypted) data message is then sent to the L3service node over the VPN for the L3 service node to provide the serviceand return the serviced data message to the edge forwarding element.After the service node provides the service, the serviced data messageis received (at 352) at the edge forwarding element (e.g., the servicetransport layer module), and the data message is provided (at 380) to arouting function (e.g., the routing function implemented by the edgeforwarding element) for forwarding to the destination. In someembodiments, the routing is based on an original destination IP addressassociated with the data message that is maintained in a memory bufferof the edge device associated with the data message that, in someembodiments, stores additional metadata such as the interface on whichthe data message was received and for data associated with features ofthe edge forwarding element such as IP fragmentation, IPsec, accesscontrol lists (ACL), etc.

If the process 300 determines (at 320) that the service type uses alayer 2, bump-in-the-wire transport mechanism, the process 300identifies (at 334) source and destination interfaces based on a set ofnext hop dummy IP addresses provided by the service classificationoperation. The next hop dummy IP addresses are used to identify sourceand destination layer 2 (e.g., MAC) addresses associated with abump-in-the-wire service node (i.e., a service node that does not changethe source and destination layer 2 (e.g., MAC) addresses of the datamessage). In some embodiments, the set of next hop dummy IP addressesinclude a set of source and destination dummy IP addresses that areresolved into source and destination layer 2 (e.g., MAC) addressesassociated with different interfaces of the edge forwarding element. Insome embodiments, the different interfaces are identified by a routingfunction associated with a service transport layer module. The differentinterfaces are used, in some embodiments, to differentiate data messagestraversing the edge device (e.g., the edge forwarding element) indifferent directions (e.g., north to south traffic vs. south to northtraffic) such that data messages going in one direction (e.g., fromwithin the logical network to the external network) use a firstinterface as the source and a second interface as a destination, anddata messages going in the opposite direction (e.g., from the externalnetwork to the logical network) use the second interface as a source andthe first interface as a destination.

The data message is then sent (at 344) to the destination interface fromthe source interface using the identified source and destination layer 2addresses. After the data message is sent (at 344) to the service nodeusing the identified interfaces, the edge forwarding element receives(at 354) the serviced data message from the service node at thedestination interface. The serviced data message is then provided (at380) to a routing function (e.g., the routing function implemented bythe edge forwarding element) for forwarding to the destination. In someembodiments, the routing is based on an original destination IP addressassociated with the data message that is maintained throughout theprocessing of the data message. In other embodiments, the originaldestination IP address is maintained in a memory buffer of the edgedevice associated with the data message that, in some embodiments,stores additional metadata such as the interface on which the datamessage was received and for data associated with features of the edgeforwarding element such as IP fragmentation, IPsec, access control lists(ACL), etc.

If the process 300 determines (at 320) that the service type uses aservice logical forwarding element transport mechanism, the process 300identifies (at 336) an interface associated with the service logicalforwarding element based on a table that stores associations betweenlogical forwarding elements (e.g., an edge forwarding elementimplemented as a virtual routing forwarding (VRF) context) andinterfaces of the logical forwarding elements that connect to a servicelogical forwarding plane. In some embodiments the table is a globaltable supplied by a network management or control compute node andincludes information for all logical forwarding elements in the logicalnetwork that connect to any of a set of service logical forwardingelements. In some embodiments, an interface associated with the logicalservice forwarding element is identified based on the forwardinginformation (e.g., based on a service path identifier or service virtualnetwork identifier provided as part of the forwarding information).

The data message is then sent (at 346) to the identified interface (or alogical service plane data message processor) along with service pathinformation and service metadata (SMD) to be encapsulated with a logicalnetwork identifier (LNI) for delivery to a first service node in theservice path identified in the service path information. In someembodiments, the service path information provided as part of theforwarding information includes (1) a service path identifier (SPI) thatis used by the logical forwarding element and each service node toidentify a next hop service node, (2) a service index (SI) indicatingthe location of the hop in the service path, and, in some embodiments,(3) a time to live. In some embodiments, the LNI is a service virtualnetwork identifier (SVNI). Additional details of the use of serviceforwarding planes can be found in U.S. patent application Ser. No.16/444,826 filed on Jun. 18, 2019, which is hereby incorporated byreference.

After being serviced by the service nodes in the service path, the datamessage is received (at 356) at the edge forwarding element. In someembodiments, the edge forwarding element receives the data message as arouting service node that is identified as a last hop in the servicepath identified for the data message. In such embodiments, the servicerouter implements a service proxy to receive the data message inaccordance with a standard protocol for service chaining using servicepaths. The edge forwarding element, in some embodiments, receives theserviced data message along with service metadata that identifies theoriginal source and destination addresses to be used to forward the datamessage to its destination. In some embodiments, the service metadataalso includes any flow programming instructions sent by service nodes orservice insertion proxies on the service path. The flow programminginstructions, in some embodiments, include instructions for modifyinghow the service classification operation selects service chains, servicepaths, and/or forwards data message flows along service paths. In otherembodiments, this flow programming involves other modifications to how adata message flow is processed by the service plane. Flow programmingwill be further described below.

The process 300 then determines (at 366) whether the received serviceddata message includes flow programming instructions. If the process 300determines that flow programming instructions are included with theserviced data message, a flow programming table is updated (at 375) byadding the flow programming instructions to the table to be used inprocessing subsequent data messages in the data message flow. In someembodiments, the flow programming instructions identify the flow thatthe flow programming instruction relates to and a new service action(e.g., a pf_value) for the identified flow. A new service action, insome embodiments, is an instruction to skip a particular service node(e.g., a firewall service node) for a next data message, or for allsubsequent data messages in a data message flow (e.g., if the firewallservice node determines that the data message flow is allowed), or todrop all subsequent data messages of the data message flow (e.g., if thefirewall service node determines that the data message flow is notallowed).

In some embodiments, the connection tracker record for the flowidentified in the flow programming instruction is updated during theprocessing of the next data message in the data message flow. Forexample, each time a flow programming instruction is added to the flowprogramming table, in some embodiments, a flow programming version value(e.g., flow_program_gen) is updated (e.g., incremented) to indicate thata flow programming instruction has been received and that stateinformation generated using a previous flow programming version valuemay be out of date. Upon identifying a connection tracker record for aparticular data message, if the flow programming version value is notequal to the current value, the flow programming table is consulted tosee if the connection tracker record must be updated based on a flowprogramming instruction contained in the flow programming table. The useof the flow programming version value is discussed in more detail inrelation to FIG. 13 below.

If the process 300 determines (at 366) that there are no flowprogramming instructions or after updating the flow programming table,the data message is then provided (at 380) to a routing function (e.g.,the routing function implemented by the edge forwarding element) forforwarding to the destination. In some embodiments, the original set ofdata message headers are carried through the service path in servicemetadata. In other embodiments, the original set of header values arestored in a buffer at the edge device and are restored after the datamessage is received from the last hop in the service path. One ofordinary skill in the art will appreciate that operations 366 and 375,in some embodiments, are performed in parallel with operation 380 asthey do not depend on each other.

The service classification operations are provided, in some embodiments,in a virtualized networking environment. The virtualized networkingenvironment, in some embodiments, is comparable to the virtualizednetworking environment described in U.S. Pat. No. 9,787,605, which ishereby incorporated by reference. A basic introduction to thevirtualized networking environment is presented here, with additionaldetails provided in the above-referenced Patent.

FIG. 4 conceptually illustrates a logical network 400 with two tiers oflogical routers. As shown, the logical network 400 includes, at thelayer 3 level, an availability zone logical gateway router (AZG) 405,several virtual private cloud logical gateway routers (VPCGs) 410-420for logical networks implemented in the availability zone. AZG 405 andVPCGs 410-420 are sometimes referred to as tier 0 (T0) and tier 1 (T1)routers respectively to reflect the hierarchical relationship betweenthe AZG and VPCGs. The first virtual private cloud gateway 410 has twological switches 425 and 430 attached, with one or more data computenodes coupling to each of the logical switches. For simplicity, only thelogical switches attached to the first VPCG 410 are shown, although theother VPCGs 415-420 would typically have logical switches attached (towhich data compute nodes couple). The availability zone, in someembodiments, is a datacenter

In some embodiments, any number of VPCGs may be attached to an AZG suchas the AZG 405. Some datacenters may have only a single AZG to which allVPCGs implemented in the datacenter attach, whereas other datacentersmay have numerous AZGs. For instance, a large datacenter may want to usedifferent AZG policies for different VPCs, or may have too manydifferent VPCs to attach all of the VPCGs to a single AZG. Part of therouting table for an AZG includes routes for all of the logical switchdomains of its VPCGs, so attaching numerous VPCGs to an AZG createsseveral routes for each VPCG just based on the subnets attached to theVPCG. The AZG 405, as shown in the figure, provides a connection to theexternal physical network 435; some embodiments only allow the AZG toprovide such a connection, so that the datacenter (e.g., availabilityzone) provider can manage this connection. Each of the separate VPCGs410-420, though part of the logical network 400, are configuredindependently (although a single tenant could have multiple VPCGs ifthey so choose).

FIG. 5 illustrates one possible management plane view of the logicalnetwork 400 in which both the AZG 405 and VPCG 410 include a centralizedcomponent. In this example, the routing aspects of the AZG 405 and VPCG410 are distributed using a DR. However, because the configuration ofthe AZG 405 and VPCG 410 include the provision of stateful services, themanagement plane view of the AZG and VPCG (and thus the physicalimplementation) includes active and standby service routers (SRs)510-520 and 545-550 for these stateful services.

FIG. 5 illustrates the management plane view 500 for the logicaltopology 400 when the VPCG 410 has a centralized component (e.g.,because stateful services that cannot be distributed are defined for theVPCG). In some embodiments, stateful services such as firewalls, NAT,load balancing, etc. are only provided in a centralized manner. Otherembodiments allow for some or all of such services to be distributed,however. Only details of the first VPCG 410 are shown for simplicity;the other VPCGs may have the same defined components (DR, transit LS,and two SRs) or have only a DR if no stateful services requiring an SRare provided). The AZG 405 includes a DR 505 and three SRs 510-520,connected together by a transit logical switch 525. In addition to thetransit logical switch 525 within the AZG 405 implementation, themanagement plane also defines separate transit logical switches 530-540between each of the VPCGs and the DR 505 of the AZG. In the case inwhich a VPCG is completely distributed, the transit logical switch 530connects to a DR that implements the configuration of the VPCG. Thus, asis described in U.S. Pat. No. 9,787,605, a packet sent to a destinationin the external network by a data compute node attached to the logicalswitch 425 will be processed through the pipelines of the logical switch425, the DR of the VPCG, the transit logical switch 530, the DR 505 ofthe AZG 405, the transit logical switch 525, and one of the SRs 510-520.In some embodiments, the existence and definition of the transit logicalswitches 525 and 530-540 are hidden from the user that configures thenetwork through the API (e.g., an administrator), with the possibleexception of troubleshooting purposes.

The partially centralized implementation of the VPCG 410, illustrated inFIG. 5, includes a DR 560 to which the logical switches 425 and 430attach, as well as two SRs 545 and 550. As in the AZG implementation,the DR and the two SRs each have interfaces to a transit logical switch555. This transit logical switch serves the same purposes as the switch525, in some embodiments. For VPCGs, some embodiments implement the SRsin active-standby manner, with one of the SRs designated as active andthe other designated as standby. Thus, so long as the active SR isoperational, packets sent by a data compute node attached to one of thelogical switches 425 and 430 will be sent to the active SR rather thanthe standby SR.

The above figure illustrates the management plane view of logicalrouters of some embodiments. In some embodiments, an administrator orother user provides the logical topology (as well as other configurationinformation) through an API. This data is provided to a managementplane, which defines the implementation of the logical network topology(e.g., by defining the DRs, SRs, transit logical switches, etc.). Inaddition, in some embodiments a user associates each logical router(e.g., each AZG or VPCG) with a set of physical machines (e.g., apre-defined group of machines in the datacenter) for deployment. Forpurely distributed routers, the set of physical machines is notimportant, as the DR is implemented across the managed forwardingelements that reside on hosts along with the data compute nodes thatconnect to the logical network. However, if the logical routerimplementation includes SRs, then these SRs will each be deployed onspecific physical machines. In some embodiments, the group of physicalmachines is a set of machines designated for the purpose of hosting SRs(as opposed to user VMs or other data compute nodes that attach tological switches). In other embodiments, the SRs are deployed onmachines alongside the user data compute nodes.

In some embodiments, the user definition of a logical router includes aparticular number of uplinks. Described herein, an uplink is anorthbound interface of a logical router in the logical topology. For aVPCG, its uplinks connect to an AZG (all of the uplinks connect to thesame AZG, generally). For an AZG, its uplinks connect to externalrouters. Some embodiments require all of the uplinks of an AZG to havethe same external router connectivity, while other embodiments allow theuplinks to connect to different sets of external routers. Once the userselects a group of machines for the logical router, if SRs are requiredfor the logical router, the management plane assigns each of the uplinksof the logical router to a physical machine in the selected group ofmachines. The management plane then creates an SR on each of themachines to which an uplink is assigned. Some embodiments allow multipleuplinks to be assigned to the same machine, in which case the SR on themachine has multiple northbound interfaces.

As mentioned above, in some embodiments the SR may be implemented as avirtual machine or other container, or as a VRF context (e.g., in thecase of DPDK-based SR implementations). In some embodiments, the choicefor the implementation of an SR may be based on the services chosen forthe logical router and which type of SR best provides those services.

In addition, the management plane of some embodiments creates thetransit logical switches. For each transit logical switch, themanagement plane assigns a unique VNI to the logical switch, creates aport on each SR and DR that connects to the transit logical switch, andallocates an IP address for any SRs and the DR that connect to thelogical switch. Some embodiments require that the subnet assigned toeach transit logical switch is unique within a logical L3 networktopology having numerous VPCGs (e.g., the network topology 400), each ofwhich may have its own transit logical switch. That is, in FIG. 5,transit logical switch 525 within the AZG implementation, transitlogical switches 530-540 between the AZG and the VPCGs, and transitlogical switch 520 (as well as the transit logical switch within theimplementation of any of the other VPCGs) each require a unique subnet.Furthermore, in some embodiments, the SR may need to initiate aconnection to a VM in logical space, e.g. HA proxy. To ensure thatreturn traffic works, some embodiments avoid using link local IPaddresses.

Some embodiments place various restrictions on the connection of logicalrouters in a multi-tier configuration. For instance, while someembodiments allow any number of tiers of logical routers (e.g., an AZGtier that connects to the external network, along with numerous tiers ofVPCGs), other embodiments only allow a two-tier topology (one tier ofVPCGs that connect to the AZG). In addition, some embodiments allow eachVPCG to connect to only one AZG, and each logical switch created by auser (i.e., not a transit logical switch) is only allowed to connect toone AZG or one VPCG. Some embodiments also add the restriction thatsouthbound ports of a logical router must each be in different subnets.Thus, two logical switches may not have the same subnet if connecting tothe same logical router. Lastly, some embodiments require that differentuplinks of an AZG must be present on different gateway machines. Itshould be understood that some embodiments include none of theserequirements, or may include various different combinations of therequirements.

FIG. 6 conceptually illustrates a physical implementation of themanagement plane constructs for a two-tiered logical network shown inFIG. 5, in which the VPCG 410 and the AZG 405 both include SRs as wellas a DR. It should be understood that this figure only shows theimplementation of the VPCG 410, and not the numerous other VPCGs, whichmight be implemented on numerous other host machines, and the SRs ofwhich might be implemented on other gateway machines.

This figure assumes that there are two VMs attached to each of the twological switches 425 and 430, which reside on the four physical hostmachines 605-620. Each of these host machines includes a managedforwarding element (MFE) 625. These MFEs may be flow-based forwardingelements (e.g., Open vSwitch) or code-based forwarding elements (e.g.,ESX), or a combination of the two, in various different embodiments.These different types of forwarding elements implement the variouslogical forwarding elements differently, but in each case, they executea pipeline for each logical forwarding element that may be required toprocess a packet.

Thus, as shown in FIG. 6, the MFEs 625 on the physical host machinesinclude configuration to implement both logical switches 425 and 430(LSA and LSB), the DR 560 and transit logical switch 555 for the VPCG410, and the DR 505 and transit logical switch 525 for the AZG 405. Someembodiments, however, only implement the distributed components of theAZG on the host machine MFEs 625 (those that couple to the data computenodes) when the VPCG for a data compute node residing on the hostmachine does not have a centralized component (i.e., SRs). As discussedbelow, northbound packets sent from the VMs to the external network willbe processed by their local (first-hop) MFE, until a transit logicalswitch pipeline specifies to send the packet to a SR. If that first SRis part of the VPCG, then the first-hop MFE will not perform any AZGprocessing, and therefore the AZG pipeline configuration need not bepushed to those MFEs by the centralized controller(s). However, becauseof the possibility that one of the VPCGs 415-420 may not have acentralized component, some embodiments always push the distributedaspects of the AZG (the DR and the transit LS) to all of the MFEs. Otherembodiments only push the configuration for the AZG pipelines to theMFEs that are also receiving configuration for the fully distributedVPCGs (those without any SRs).

In addition, the physical implementation shown in FIG. 6 includes fourphysical gateway machines 630-645 (also called edge nodes, in someembodiments) to which the SRs of the AZG 405 and the VPCG 410 areassigned. In this case, the administrators that configured the AZG 405and the VPCG 410 selected the same group of physical gateway machinesfor the SRs, and the management plane assigned one of the SRs for bothof these logical routers to the third gateway machine 640. As shown, thethree SRs 510-520 for the AZG 405 are each assigned to different gatewaymachines 630-640, while the two SRs 545 and 550 for the VPCG 410 arealso each assigned to different gateway machines 640 and 645.

This figure shows the SRs as separate from the MFEs 650 that operate onthe gateway machines. As indicated above, different embodiments mayimplement the SRs differently. Some embodiments implement the SRs as VMs(e.g., when the MFE is a virtual switch integrated into thevirtualization software of the gateway machine), in which case the SRprocessing is performed outside of the MFE. On the other hand, someembodiments implement the SRs as VRFs within the MFE datapath (when theMFE uses DPDK for the datapath processing). In either case, the MFEtreats the SR as part of the datapath, but in the case of the SR being aVM (or other data compute node), sends the packet to the separate SR forprocessing by the SR pipeline (which may include the performance ofvarious services). As with the MFEs 625 on the host machines, the MFEs650 of some embodiments are configured to perform all of the distributedprocessing components of the logical network.

FIGS. 7 and 10 illustrate a set of logical processing operations relatedto availability zone (T0) and VPC (T1) logical routers. FIG. 7illustrates logical processing operations for availability zone (T0)logical router components that are included in edge datapath 710executed by an edge device 700 for data messages. In some embodiments,edge datapath 710 is executed by an edge forwarding element of edgedevice 700. Edge datapath 710 includes logical processing stages for aplurality of operations including an availability zone (T0) service(e.g., centralized) router 730 and an availability zone (T0) distributedrouter 740. As shown, the T0 SR 730 calls a set of service insertionlayer and service transport layer modules 735 to perform serviceclassification operations (or service insertion (SI) classificationoperations). In some embodiments, edge datapath 710 includes logicalprocessing operations for VPC (T1) service and distributed routers. Asfor the availability zone (T0) SR, the VPC (T1) SR, in some embodiments,calls a set of service insertion layer and service transport layermodules to perform service classification operations.

Service insertion layer and service transport layer modules 735 includea service insertion pre-processor 720, a connection tracker 721, aservice layer transport module 722, a logical switch service planeprocessor 723, a service plane layer 2 interface 724, a service routingfunction 725, bump-in-the-wire (BIW) pair interfaces 726, a virtualtunnel interface 727, a service insertion post-processor 728, and a flowprogramming table 729. Service insertion pre-processor 720, in someembodiments, performs the process 100 to determine service type andforwarding information for a received data message. Service transportlayer module 722, in some embodiments, performs the process 300 todirect the data message to the appropriate service nodes to haverequired services performed and to return the data message to the T0 SR730 for routing to a destination of the data message.

The function of the modules of the service insertion layer and servicetransport layer 735 are described in more detail in relation to FIGS.11, 12, 18, and 19 below. In some embodiments, the service insertionpre-processor 720 is called for data messages received on each of a setof interfaces of the edge forwarding element that is not connected to aservice node. The service insertion (SI) pre-processor 720 appliesservice classification rules (e.g., service insertion rules) defined forapplication at the T0 SR 730 (e.g., defined by a provider or by a tenanthaving multiple VPCGs behind a single AZG). Each service classificationrule, in some embodiments, is defined in terms of flow identifiers thatidentify a data message flow that require a service insertion operation(e.g., servicing by a set of service nodes). The flow identifiers, insome embodiments, include a set of data message attributes (e.g., anyone of, or combination of, a set of header values (e.g., a 5-tuple) thatdefine a data message flow), a set of contextual data associated withthe data message, or a value derived from the set of header values orcontextual data (e.g., a hash of a set of header values or of anapplication identifier for an application associated with the datamessage).

In some embodiments, interfaces connected to service nodes areconfigured to mark data messages being returned to the edge forwardingelement as serviced so that they are not provided to the SIpre-processor 720 again. After the service classification operations areperformed by the SI pre-processor 720 the result of the classificationoperation is passed to the service transport layer module 722 to be usedto forward the data message to a set of service nodes that provides arequired set of services.

After the service node(s) process the data message the serviced datamessage is returned to the service transport layer module 722 forpost-processing at SI post-processor 728 before being returned to the T0SR 730 for routing. The T0 SR 730 routes the data message and providesthe data message to the T0 DR 740. In some embodiments the T0 SR 730 isconnected to the T0 DR 740 through a transit logical switch (not shown)as described above in relation to FIGS. 5 and 6. The T0 SR 730 and T0 DR740 perform logical routing operations to forward the incoming datamessage to the correct virtual private cloud gateway and ultimately tothe destination compute node. The logical routing operations, in someembodiments, include identifying egress logical ports of the logicalrouter used to forward the data message to a next hop based on adestination IP address of the data message.

In some embodiments, edge datapath 710 also includes logical processingstages for T1 SR and T1 DR operations as well as the T0 SR 730 and T0 DR740. Some embodiments insert a second service classification operationperformed by a set of service insertion layer and service transportlayer modules called by a T1 SR. The SI pre-processor called by the VPCGapplies service classification rules (e.g., service insertion rules)defined for the VPCG (e.g., service insertion rules for a particular VPClogical network behind the VPCG). The VPCG-specific serviceclassification rules, in some embodiments, are included in a same set ofrules as the AZG-specific service classification rules and aredistinguished by a logical forwarding element identifier. In otherembodiments, the VPCG-specific service classification rules are storedin a separate service classification rule storage or database used bythe SI pre-processor called by the VPCG.

The SI pre-processor called by the VPCG performs the same operations asthe SI pre-processor 720 to identify data messages that require a set ofservices and the forwarding information and service type for theidentified data messages. As for SI pre-processor 720, the SIpre-processor performs the service classification operations and afterthe services are provided, the data message is returned to the logicalprocessing stage for the T1 SR. The T1 SR routes the data message andprovides the data message to the T1 DR. In some embodiments, the T1 SRis connected to the T1 DR through a transit logical switch (not shown)as described above in relation to FIGS. 5 and 6. The T1 SR and T1 DRperform logical routing operations to forward the incoming data messageto the destination compute node through a set of logical switches asdescribed in relation to FIGS. 5 and 6. The logical routing operations,in some embodiments, include identifying egress logical ports of thelogical router used to forward the data message to a next hop based on adestination IP address of the data message. Multiple T1 SRs and DRs maybe identified by the T0 DR 740 and the above discussion applies, in someembodiments, to each T1 SR/DR in the logical network. Accordingly, oneof ordinary skill in the art will understand that edge device 700, insome embodiments, performs edge processing for multiple tenants each ofwhich shares a same set of AZG processing stages but has its own VPCGprocessing stages.

For outgoing messages the edge datapath is similar but, in someembodiments, will include T1 and T0 DR components only if the sourcecompute node is executing on the edge device 700 or the T1 SR executeson the edge device 700 respectively. Otherwise the host of the sourcenode (or the edge device that executes the T1 SR) will perform thelogical routing associated with the T1/T0 DR. Additionally, for outgoingdata messages, data messages are logically routed by SRs (e.g., T0 SR730) before calling the service insertion layer and service transportlayer modules. The function of the service insertion layer and servicetransport layer modules is similar to the forward direction (e.g., theincoming data messages discussed above) and will be discussed in moredetail below. For data messages requiring services, the serviced datamessage is returned to the SR (e.g., T0 SR 730) to be sent over theinterface identified by the logical routing processing.

FIG. 8 illustrates a TX SR 1130 acting as a source for traffic on alogical service forwarding element 801 (e.g., a logical service switch).The logical service forwarding element (LSFE) is implemented by a set ofN software switches 802 executing on N devices. The N devices includes aset of devices on which service nodes (e.g., service virtual machine806) execute. The TX SR 1130, through the SIL and STL modules 1120 and1122 respectively, sends a data message that requires servicing by theSVM 806. The SI layer modules 1120 identifies the forwarding informationnecessary to send the data message over the LSFE to the SVM 806 as wasdiscussed above in relation to FIG. 1 and will be discussed below inrelation to FIGS. 11 and 12. The forwarding information and the datamessage is then provided to the STL module 1122 to be processed fordelivery to the SVM 806 over the LSFE using port 810. Because the SVM806 executes on a separate device, the data message sent out of softwareswitch port 815 is encapsulated by encapsulation processor 841 fortransport across an intervening network.

The encapsulated data message is then unencapsulated by encapsulationprocessor 842 and provided to port 816 for delivery to the SVM 806through its STL module 826 and SI proxy 814. A return data messagetraverses the modules in the reverse order. The operations of STL module826 and SI proxy 814 are discussed in more detail in U.S. patentapplication Ser. No. 16/444,826.

FIG. 9 illustrates a service path including two service nodes 906 and908 accessed by the TX SR 1130 through LSFE 801. As shown, TX SR 1130sends a first data message as described in relation to FIG. 8. The datamessage is received by SVM 1 906 which provides a first service in aservice path and forwards the data message to the next hop in theservice path, in this case SVM 2 908. SVM2 908 receives the datamessage, provides a second service and forwards the data message to theTX SR 1130 which in some embodiments is identified as a next hop in theservice path. In other embodiments, the TX SR 1130 is identified as thesource to which to return the serviced data message after the last hop(e.g., SVM 2 908) has provided its service. As for FIG. 8, additionaldetails of the processing at each module is explained in more detail inU.S. patent application Ser. No. 16/444,826.

FIG. 10 illustrates a second embodiment including two edge devices 1000and 1005 executing an AZ gateway datapath 1010 and VPC gateway datapath1015 respectively. The functions of similarly numbered elements thatappear in FIGS. 7 and 10 are equivalent. The difference between FIGS. 7and 10 is that in FIG. 10 the VPC edge datapath (T1 SR 1060 and serviceinsertion layer and service transport layer modules 1065) is executed inedge device 1005 instead of edge device 1000. As discussed above,distributed routers, in some embodiments, are performed at whicheverdevice performs the immediately previous processing step.

An edge forwarding element is configured, in some embodiments, toprovide services using the service logical forwarding element as atransport mechanism as described in relation to FIG. 11. The edgeforwarding element is configured to connect different sets of virtualinterfaces of the edge forwarding element to different network elementsof the logical network using different transport mechanisms. Forexample, a first set of virtual interfaces is configured to connect to aset of forwarding elements internal to the logical network using a setof logical forwarding elements connecting source and destinationmachines of traffic for the logical network. Traffic received on thefirst set of interfaces is forwarded to a next hop towards thedestination by the edge forwarding element without being returned to theforwarding element from which it was received, in some embodiments. Asecond set of virtual interfaces is configured to connect to a set ofservice nodes to provide services for data messages received at the edgeforwarding element.

Each connection made for the second set of virtual interfaces may usedifferent transport mechanisms such as a service logical forwardingelement, a tunneling mechanism, and a bump-in-the-wire mechanism, and insome embodiments, some or all of the transport mechanisms are used toprovide data messages to the service nodes as discussed below inrelation to FIGS. 11, 12, 18 and 19. Each virtual interface in a thirdset of virtual interfaces (e.g., a subset of the second set) isconfigured to connect to a logical service forwarding element connectingthe edge forwarding element to at least one internal forwarding elementin the set of internal forwarding elements as described below inrelation to FIGS. 30-32A-B. The virtual interfaces are configured to beused (1) to receive data messages from the at least one internalforwarding element to be provided a service by at least one service nodein the set of service nodes and (2) to return the serviced data messageto the internal forwarding element network.

The transport mechanisms, in some embodiments, include a logical serviceforwarding element that connects the edge forwarding element to a set ofservice nodes that each provide a service in the set of services. Inselecting the set of services, the service classification operation ofsome embodiments identifies a chain of multiple service operations thathas to be performed on the data message. The service classificationoperation, in some embodiments, includes selecting, for the identifiedchain of services, a service path to provide the multiple services.After selecting the service path, the data message is sent along theselected service path to have the services provided. Once the serviceshave been provided the data message is returned to the edge forwardingelement by a last service node in the service path that performs thelast service operation and the edge forwarding element performs aforwarding operation to forward the data message as will be discussedfurther in relation to FIGS. 11 and 12.

FIG. 11 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules 1135 called by aservice router at either T0 or T1 (e.g., TX SR 1130) for a first datamessage 1110 in a data message flow that requires services from a set ofservice nodes that define a service path. FIG. 11 is illustrated for TXSR 1130, and service insertion layer (SIL) and service transport layer(STL) modules 1135. TX SR 1130 and SIL and STL modules 1135 representthe function of a centralized service router and SIL and STL modules ateither of T0 and T1, in some embodiments. T0 and T1 datapaths, in someembodiments, share a same set of SIL and STL modules, while in othersseparate SIL and STL modules are used by T0 and T1 datapaths. SIL andSTL modules 1135 include a service insertion pre-processor 1120, aconnection tracker 1121, a service layer transport module 1122, alogical switch service plane processor 1123, a service plane layer 2interface 1124, a service insertion post-processor 1128, and a flowprogramming table 1129.

Data message 1110 is received at the edge device and provided to theedge TX SR 1130. In some embodiments, the TX SR 1130 receives the datamessage at an uplink interface or at a virtual tunnel interface of theTX SR 1130. In some embodiments, the SI Pre-processor 1120 is called atdifferent processing operations for an uplink interface and a virtualtunnel interface (VTI). In some embodiments, the calls for data messagesreceived at an uplink interface and a virtual tunnel interface areimplemented by different components of the edge device. For example, theSI pre-processor 1120 is called for data messages received at the uplinkinterface, in some embodiments, by a NIC driver as part of a standarddata message pipeline, while the SI pre-processor 1120 is called fordata messages received at a VTI is called after (before) a decapsulationand decryption (encryption and encapsulation) operation as part of aseparate VTI processing pipeline. In some embodiments implementing theSI pre-processor 1120 differently for uplinks and VTIs, a sameconnection tracker is used to maintain a consistent state for each datamessage even if it traverses a VTI and an uplink.

The SI pre-processor 1120 performs a set of operations similar to theoperations of process 100. The SI pre-processor 1120 performs a lookupin connection tracker storage 1121 to determine if a connection trackerrecord exists for the data message flow to which the data messagebelongs. As discussed above, the determination is based on a flowidentifier including, or derived from, flow attributes (e.g., headervalues, contextual data, or values derived from the header values and,alternatively or conjunctively, the contextual data). In the illustratedexample, the data message 1110 is a first data message in a data messageflow and no connection tracker record is identified for the data messageflow to which data message 1110 belongs. The connection tracker storagelookup is equivalent to operation 120 of process 100, and if anup-to-date connection tracker record had been found, the SIpre-processor 1120 would have forwarded the information in theidentified connection tracker record to the LR-SR as in operations 120,125, and 170 of process 100.

Since, in this example, no connection tracker record is found, SIpre-processor 1120 performs a lookup in a service insertion rule storage1136 to determine if any service insertion (service classification)rules apply to the data message. In some embodiments, the SI rules fordifferent interfaces are stored in the SI rule storage 1136 as separaterule sets that are queried based on an incoming interface identifier(e.g., an incoming interface UUID stored as metadata in a buffer of theedge device). In other embodiments, the SI rules for differentinterfaces are stored as a single rule set with potential matching rulesexamined to see if they apply to the interface on which the data messagewas received. As will be discussed below, the SI rule set(s) arereceived from a controller that generates the rule sets based onpolicies defined at a network manager (by an administrator or by thesystem). The SI rules 1145 in the SI rule storage 1136, in someembodiments, are specified in terms of flow attributes that identifydata message flows to which the rule applies and a service action. Inthe illustrated example, the service action is a redirection to a UUIDthat is used to identify the service type and forwarding information.

Assuming that the lookup in the SI rule storage 1136 results inidentifying a service insertion rule that applies to the data message1110, the process uses the UUID identified from the service applicableinsertion rule to query a policy table 1137. In some embodiments, theUUID is used to simplify the management of service insertion such thateach individual rule specifying a same service node set does not need tobe updated if a particular service node in the service node set failsand instead the set of service nodes associated with the UUID can beupdated, or a selection (e.g., load balancing) operation can be updatedfor the UUID. The current example illustrates a UUID that identifies aservice chain identifier associated with multiple service pathsidentified by multiple service path identifiers (SPIs) and a set ofselection metrics. The selection metrics can be selection metrics for aload balancing operation that is any of: a round robin mechanism, aload-based selection operation (e.g., selecting a service node with alowest current load), or a distance-based selection operation (e.g.,selecting a closest service node as measured by a selected metric). Theset of service paths, in some embodiments, is a subset of all thepossible service paths for the service chain. In some embodiments, thesubset is selected by a controller that assigns different service pathsto different edge devices. The assignment of service paths to differentedge devices, in some embodiments, provides a first level of loadbalancing over the service nodes.

Once a service path is selected, the SI pre-processor 1120 identifiesforwarding information associated with the selected service path byperforming a lookup in forwarding table 1138. The forwarding table 1138stores forwarding information for the service path (e.g., a MAC addressfor a first hop in the service path). In some embodiments, theforwarding information includes a service index that indicates a servicepath length (i.e., the number of service nodes included in the servicepath). In some embodiments, the forwarding information also includes atime to live (TTL) value that indicates the number of service nodes inthe service path. The next hop MAC address, service index, and TTLvalues, in other embodiments, are stored with the SPI in the policytable 1137 and the forwarding table 1138 is unnecessary.

In some embodiments, selecting a service path for a forward directiondata message flow includes selecting a corresponding service path for areverse direction data message flow. In such embodiments, forwardinginformation for each direction is determined at this point. The servicepath for the reverse direction data message flow, in some embodiments,includes the same service nodes as the service path for the forwarddirection data message flow but traverses the service nodes in theopposite order. In some embodiments, the service path for the reversedirection data message flow traverses the service nodes in the oppositeorder when at least one service node modifies the data message. Theservice path for the reverse direction data message flow, for some datamessage flows, is the same service path as for the forward directionflow. In some embodiments, the SR is made available as a service node toprovide an L3 routing service and is identified as a last hop for eachservice path. The SR L3 routing service node, in some embodiments, isalso a first hop for each service path to ensure that traversing theservice path in the opposite order will end at the SR, and the SRperforms the first hop processing of the service path as a service node.

Once the service path has been selected and the forwarding informationhas been identified, connection tracker records are created for theforward and reverse direction flows and are provided to the connectiontracker storage 1121. In some embodiments, a service insertionpost-processor 1128 is queried for a state value (e.g., a flowprogramming version value “flow_prog_gen”) that indicates a currentstate of a set of service nodes (e.g., a set of service nodes associatedwith the identified service type). As discussed below, the connectiontracker records includes the forwarding information (e.g., the SPI, theservice index, a next hop MAC address, and a service insertion ruleidentifier for the service insertion rule that was identified asmatching the attributes of data message 1110) used to process subsequentdata messages in the forward and reverse data message flows. In someembodiments, the connection tracker record also includes the flowprogramming version value to indicate a current flow programming versionvalue at the time the connection tracker record is created forcomparison to then-current values for subsequent data messages in thedata message flow for which the record is created.

The data message 1152 along with the forwarding information 1151 arethen provided to the STL module 1122. The forwarding information, inthis example, for a data message requiring services provided by aservice chain includes service metadata (SMD) that includes, in someembodiments include any or all of a service chain identifier (SCI), aSPI, a service index, a TTL value, and a direction value. The forwardinginformation, in some embodiments, also includes a MAC address for a nexthop and a service insertion type identifier to identify the data messageas using a logical service forwarding element transport mechanism.

The STL module 1122, as shown, provides the data message 1153 along withan encapsulating header 1154 that includes, in some embodiments, the SMDand liveness attributes that indicate that the L3 routing service nodeis still operational to a layer 2 service plane processor 1123 thatprepares the data message for sending to the service plane L2 interface1124 based on the information included in the encapsulating header 1154.In some embodiments, instead of an encapsulating header, the forwardinginformation is sent or stored as separate metadata that includes, insome embodiments, the SMD and liveness attributes that indicate that theL3 routing service node is still operational. The logical switch serviceplane processor 1123 functions similarly to a port proxy described inU.S. patent application Ser. No. 16/444,826 filed on Jun. 18, 2019. Asshown, the logical switch service plane processor 1123 removes theheader 1154 and records the SMD and next hop information. The datamessage is then provided to service plane L2 interface 1124 (e.g., asoftware switch port associated with the logical service forwardingelement).

The data message is then encapsulated for delivery to a first servicenode in the service path by an interface (e.g., a port or virtual tunnelendpoint (VTEP)) of the software forwarding element to produce 1157. Insome embodiments, the SMD is a modified set of SMD that enables theoriginal data 1110 message to be reconstructed when the serviced datamessage is returned to the logical switch service plane processor 1123.In some embodiments, the encapsulation is only necessary when the nexthop service node executes on another device so that the encapsulateddata message 1157 can traverse an intervening network fabric.

The encapsulation, in some embodiments, encapsulates the data messagewith an overlay header to produce data message 1157. In someembodiments, the overlay header is a Geneve header that stores the SMDand STL attributes in one or more of its TLVs. As mentioned above, theSMD attributes in some embodiments include the SCI value, the SPI value,the SI value, and the service direction. Other encapsulation headers aredescribed in U.S. patent application Ser. No. 16/444,826 filed on Jun.18, 2019. The illustrated datapath for data message 1110 assumes thatthe first service node in the service path is on an external host (ahost machine that is not the edge device). If, instead, the edge deviceis hosting the next service node in the service path, the data messagewill not require encapsulation and instead will be sent to the nextservice node over the logical service forwarding plane using the SVNIassociated with the logical service plane and the MAC address of thenext hop service node.

If flow programming instructions are included in encapsulation header1158, the flow programming instructions 1159 are provided to a flowprogramming table 1129 and a flow programming version value is updated(e.g., incremented). The flow programming instruction in the flowprogramming table 1129, in some embodiments, includes a new action(e.g., pf_value) that indicates that subsequent data messages should bedropped, allowed, or a new service path is identified to skip aparticular service node (e.g., a firewall that has determined that theconnection is allowed) while traversing the other service nodes in theoriginal service path. The use of the flow programming version valuewill be discussed further in relation to FIG. 13.

FIG. 12 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules 1135 called by aservice router at either T0 or T1 (e.g., TX SR 1130) for a data message1210 in a data message flow that requires services from a set of servicenodes that define a service path. FIG. 12 is illustrated for TX SR 1130,and service insertion layer (SIL) and service transport layer (STL)modules 1135. TX SR 1130 and SIL and STL modules 1135 represent thefunction of a centralized service router and SIL and STL modules ateither of T0 and T1, in some embodiments. T0 and T1 datapaths, in someembodiments, share a same set of SIL and STL modules, while in othersseparate SIL and STL modules are used by T0 and T1 datapaths. SIL andSTL modules 1135 include a service insertion pre-processor 1120, aconnection tracker 1121, a service layer transport module 1122, alogical switch service plane processor 1123, a service plane layer 2interface 1124, a service insertion post-processor 1128, and a flowprogramming table 1129.

Data message 1210 is received at the edge device and provided to theedge TX SR 1130. In some embodiments, the TX SR 1130 receives the datamessage at an uplink interface or at a virtual tunnel interface of theTX SR 1130. In some embodiments, the SI Pre-processor 1120 is called atdifferent processing operations for an uplink interface and a virtualtunnel interface (VTI). In some embodiments, the calls for data messagesreceived at an uplink interface and a virtual tunnel interface areimplemented by different components of the edge device. For example, theSI pre-processor 1120 is called for data messages received at the uplinkinterface, in some embodiments, by a NIC driver as part of a standarddata message pipeline, while the SI pre-processor 1120 is called fordata messages received at a VTI is called after (before) a decapsulationand decryption (encryption and encapsulation) operation as part of aseparate VTI processing pipeline. In some embodiments implementing theSI pre-processor 1120 differently for uplinks and VTIs, a sameconnection tracker is used to maintain a consistent state for each datamessage even if it traverses a VTI and an uplink.

The SI pre-processor 1120 performs a set of operations similar to theoperations of process 100. The SI pre-processor 1120 performs a lookupin connection tracker storage 1121 to determine if a connection trackerrecord exists for the data message flow to which the data messagebelongs. As discussed above, the determination is based on a flowidentifier including, or derived from, flow attributes (e.g., headervalues, contextual data, or values derived from the header values and,alternatively or conjunctively, the contextual data). In the illustratedexample, the data message 1210 is a data message in a data message flowthat has a connection tracker record in the connection tracker storage1121. The connection tracker storage lookup begins with operation 120 ofprocess 100. FIG. 12 illustrates a set of additional operations thatwill be used as examples of the operations discussed in FIG. 13.

Some embodiments provide a method of performing stateful services thatkeeps track of changes to states of service nodes to update connectiontracker records when necessary. At least one global state valueindicating a state of the service nodes is maintained at the edgedevice. In some embodiments, different global state values aremaintained for service chain service nodes (SCSNs) and layer 2bump-in-the-wire service nodes (L2 SNs). The method generates a recordin a connection tracker storage including the current global state valueas a flow state value for a first data message in a data message flow.Each time a data message is received for the data message flow, thestored state value (i.e., a flow state value) is compared to therelevant global state value (e.g., SCSN state value or L2 SN statevalue) to determine if the stored action may have been updated.

After a change in the global state value relevant to the flow, theglobal state value and the flow state value do not match and the methodexamines a flow programming table to determine if the flow has beenaffected by the flow programming instruction(s) that caused the globalstate value to change (e.g., increment). The instructions stored in theflow programming table, in some embodiments, include a data message flowidentifier and an updated action (e.g., drop, allow, update selectedservice path, update a next hop address). If the data message flowidentifiers stored in the flow programming table do not match thecurrent data message flow identifier, the flow state value is updated tothe current global state value and the action stored in the connectiontracker record is used to process the data message. However, if at leastone of the data message flow identifiers stored in the flow programmingtable matches the current data message flow identifier, the flow statevalue is updated to the current global state value and the action storedin the connection tracker record is updated to reflect the execution ofthe instructions with a matching flow identifier stored in the flowprogramming table and the updated action is used to process the datamessage.

FIG. 13 conceptually illustrates a process 1300 for validating orupdating an identified connection tracker record for a data messageflow. Process 1300 in some embodiments is performed by an edgeforwarding element executing on an edge device. In the example of FIG.12, the process is performed by SI pre-processor 1120. The process 1300begins by identifying (at 1310) a connection tracker record for a datamessage received at the edge forwarding element. A flow programmingversion value is stored in the connection tracker record that reflectsthe flow programming version value at the time of connection trackerrecord generation. Alternatively, in some embodiments, the flowprogramming version value reflects the flow programming version value atthe last update of the connection tracker record. The connection trackerrecord stores the forwarding information for the data message flow.However, if a flow programming instruction exists for the data messageflow, the stored information may be out of date.

For some data message flows, a previous data message in the data messageflow will have been received that includes a set of flow programminginstructions. The data message, in some embodiments, is a serviced datamessage that has been serviced by a set of service nodes in a servicepath and the set of flow programming instructions is based on flowprogramming instruction from a set of service nodes in the service path.The set of flow programming instructions, in some embodiments, includesa flow programming instruction for both a forward direction data messageflow and a reverse direction data message flow that are affected by theflow programming instruction. In some embodiments, the forward andreverse flow ID are the same and a direction bit distinguishes betweenforward and reverse data message flows in the connection tracker record.

The set of flow programming instructions are recorded in a flowprogramming table and a flow programming version value is updated(incremented) at the flow programming table to reflect that flowprogramming instructions have been received that may require informationin at least one connection tracker record to be updated. The flowprogramming instructions, in some embodiments, are based on any of thefollowing events: the failure of a service node, an identification of aservice node that is no longer required to be part of the service path,a decision to drop a particular data message in a data message flow, ora decision to drop a particular data message flow. Based on the event,the flow programming instruction includes forwarding information thatspecifies a different service path than was previously selected (basedon service node failure or the identification of a service node that isno longer required) or a new action (e.g., pf_value) for a next datamessage (based on a decision to drop a particular data message in a datamessage flow) or for the data message flow (based on a decision to dropa particular data message flow). The flow programming table, in someembodiments, stores records relevant to individual flows and a record offailed service nodes (or the service paths that they belong to) used todetermine available service paths during service path selectionoperations. Records stored for individual flows, persist until they areexecuted, which, in some embodiments, occurs upon receiving the nextdata message for the data message flow as will be discussed below.

The process 1300 then determines (at 1320) whether the flow programminggeneration value is current (i.e., is not equal to the flow programmingversion value stored by the flow programming table). In the describedembodiment, determining (at 1320) whether the flow programming versionvalue (e.g., flow_prog_gen or BFD_gen) is current includes a query tothe flow programming table 1129 including only the flow programmingversion value to perform a simple query operation to determine whether afurther, more complicated query must be performed. If the flowprogramming version value is current the action stored in the connectiontracker record can be used to forward the data message to service nodesto provide the required services and the process ends.

If the process 1300 determines (at 1320) that the flow programmingversion value is not current, the process 1300 then determines (at 1330)whether there is a flow programming instruction that applies to thereceived data message (i.e., the data message flow to which the datamessage belongs). In some embodiments, this second determination is madeusing a query (e.g., 1271) that includes a flow ID that is used as a keyto identify a flow programming record stored in the flow programmingtable. In some embodiments, the query also includes a service pathidentifier (SPI) that can be used to determine whether the service pathhas failed. The flow programming generation value is not current, insome embodiments, because a flow programming instruction has beenreceived that causes the flow programming version value to update (e.g.,increment). The flow programming instruction, in some embodiments, isrelevant to the data message flow, while in other embodiments, the flowprogramming instruction is relevant to a different data message flow ora failed service node.

If the process 1300 determines (at 1330) that there is no relevant flowprogramming instruction for the received data message, the flowprogramming version value stored in the connection tracker record isupdated (at 1340) to reflect the flow programming version value returnedfrom the flow programming table. The data message is then processed (at1345) based on the action stored in the connection tracker record andthe process ends. If, however, the process 1300 determines (at 1330)that there is a relevant flow programming instruction for the receiveddata message, the action in the flow programming table is used (at 1350)to process the data message. In some embodiments, the determination thatthere is a relevant flow programming instruction for the received datamessage is based on receiving a non-empty response (e.g., 1272) to thequery. The connection tracker record is then updated (at 1360) based onthe query response to update the service action and the flow programmingversion value and the process ends. One of ordinary skill in the artwill appreciate that operations 1350 and 1360 are performed together orin a different order without affecting the functionality.

Processing the data message according to the forwarding informationbased on the flow programming record and connection tracker record, forsome data messages, includes forwarding the data message to the servicetransport layer module 1122 that forwards the data message along theservice path identified in the forwarding information. For other datamessages, processing the data message according to the forwardinginformation includes dropping (or allowing) the data message based onthe flow programming instruction. A similar process is performed for L2BIW service nodes based on a bidirectional forwarding detection (BFD)version value (e.g., BFD_gen) that is a state value associated withfailures of service nodes connected by a L2 BIW transport mechanism andis stored in a connection tracker record at creation.

After the data message is processed through SI post-processor 1128,serviced data message 1162 is provided to the TX SR 1130 marked (e.g.,using a tag, or metadata associated with the data message) as havingbeen serviced so that SI pre-processor is not called a second time toclassify the data message. TX SR 1130 then forwards the data message1163 to the next hop. In some embodiments, the marking as serviced ismaintained in forwarding the data message, while in some otherembodiments, the marking is removed as part of the logical routingoperation of the TX SR 1130. In some embodiments, metadata is stored forthe data message that indicates that the data message has been serviced.FIG. 31 will discuss an example of an embodiment that maintains theidentification of the data message as having been serviced to avoidcreating a loop from a T1 SR service classification operation.

FIG. 14 illustrates sets of connection tracker records 1410-1430 in aconnection tracker storage 1121 and an exemplary sets of flowprogramming records 1440-1490 in a flow programming table 1129.Connection tracker storage 1121 is shown storing connection trackerrecords 1410-1430. Connection tracker record sets 1410-1430 includeconnection tracker record sets for different transport mechanisms eachincluding separate records for forward and reverse direction datamessage flows.

Connection tracker record set 1410 is a set of connection trackerrecords for a forward and reverse direction data message flow that use alogical service plane (e.g., logical service forwarding element)transport mechanism. Connection tracker record set 1410, in someembodiments, includes a connection tracker record 1411 for a forwarddirection data message flow and a connection tracker record 1412 for areverse direction data message flow. Each connection tracker record 1411and 1412, includes a flow identifier (e.g., Flow ID or Flow ID′), a setof service metadata, a flow programming version value (e.g.,flow_program_gen), an action identifier (e.g., pf_value), and a rule IDidentifying a service rule that was used to create the connectiontracker record. The flow ID for the forward and reverse direction datamessage flows, in some embodiments, are different flow IDs that arebased on the switching of the source and destination addresses (e.g., IPand MAC addresses). The different flow IDs for the forward and reversedirection data message flows, in other embodiments, is based ondifferent values for source and destination addresses that are theresult of a network address translation provided by a service node inthe set of service nodes. In some embodiments, the forward and reverseflow IDs are the same except for a bit that indicates thedirectionality. In some embodiments, the directionality bit is stored ina separate field and forward and reverse flow IDs are the same.

In some embodiments, the service metadata (SMD) includes a service pathID (e.g., SPI 1 and SPI 1), a service index (e.g., SI which should bethe same for the forward and reverse direction data message flows), atime to live (TTL), and a next hop MAC address (e.g., hop1mac andhopMmac). The use of the SMD in processing data messages has beendescribed above in relation to FIGS. 3 and 11. The SMD, in someembodiments, includes the network service header (NSH) attributes perRFC (Request for Comments) 8300 of IETF (Internet Engineering TaskForce). The SMD includes, in some embodiments, a service chainidentifier (SCI) and a direction (e.g., forward or reverse) along withthe SPI and SI values, for processing the service operations of theservice chain.

The rule ID, in some embodiments, is used (as described in operation223) to identify a set of interfaces at which the rule is applied byusing the rule ID as a key in an applied_to storage 1401 that storesrecords including a rule ID field 1402 identifying the rule ID and anapplied_to field 1403 containing a list of interfaces at which theidentified rule is applied. In some embodiments, the interfaces arelogical interfaces of the service router identified by a UUID. Theapplied_to storage 1401, in some embodiments, is configured by acontroller that is aware of the service insertion rules, servicepolicies, and interface identifiers.

Connection tracker record set 1420 is a set of connection trackerrecords for a forward and reverse direction data message flow that use alayer 2 bump-in-the-wire (BIW) transport mechanism. Connection trackerrecord set 1420, in some embodiments, includes a connection trackerrecord 1421 for a forward direction data message flow and a connectiontracker record 1422 for a reverse direction data message flow. Eachconnection tracker record 1421 and 1422, includes a flow identifier(e.g., Flow ID or Flow ID′), an IP address (e.g., a dummy IP addressassociated with an interface connected to an L2 service node), abidirectional forwarding detection (BFD) version value (e.g., BFD_gen)that is a state value associated with failures of service nodesconnected to an LR-SR (e.g., an AZG-SR or VPCG-SR) by a L2 BIW transportmechanism, an action identifier (e.g., pf_value), and a rule IDidentifying a service rule that was used to create the connectiontracker record. The flow ID for the forward and reverse direction datamessage flows is the same as that described for connection trackerrecord 1410. In some embodiments, the pf_value is a value thatidentifies whether a flow should be allowed or dropped, bypassing theservice node.

Connection tracker record set 1430 is a set of connection trackerrecords for a forward and reverse direction data message flow that use alayer 3 tunneling transport mechanism. Connection tracker record set1430, in some embodiments, includes a connection tracker record 1431 fora forward direction data message flow and a connection tracker record1432 for a reverse direction data message flow. Each connection trackerrecord 1431 and 1432, includes a flow identifier (e.g., Flow ID or FlowID′), an IP address (e.g., an IP address of the virtual tunnel interfaceconnecting the LR-SR to the service node), an action identifier (e.g.,pf_value), and a rule ID identifying a service rule that was used tocreate the connection tracker record. The flow ID for the forward andreverse direction data message flows is the same as that described forconnection tracker record 1410. In some embodiments, the pf_value is avalue that identifies whether a flow should be allowed or dropped,bypassing the service node.

The flow programming table 1129, in some embodiments, stores statevalues 1440-1470. The state value “flow_program_gen” 1440 is a flowprogramming state value that is used to identify a state of changes to aflow programming table. As described above, the flow_program_gen valueis used to determine whether a flow programming table should beconsulted (e.g., if a connection tracker record stores an out-of-dateflow_program_gen value) to determine forwarding information for a datamessage, or if the forwarding information stored in the connectiontracker record is current (e.g., the connection tracker record stores acurrent flow_program_gen value).

The state value “BFD_gen” 1450 is a liveness state value that is used toidentify a state of changes to liveness values of service nodesconnected using the L2 BIW transport mechanism. Similarly to theflow_program_gen value, the BFD_gen value is used to determine whether aBFD_gen value stored in a connection tracker record is a current BFD_genvalue and the forwarding information is still valid, or whether theBFD_gen value stored in the connection tracker is out-of-date and the SIpre-processor needs to determine if the forwarding information is stillvalid (e.g., to determine if a service node corresponding to the storedIP address is still operational). In some embodiments, a separatestorage structure stores a list of failed service nodes using BFD (e.g.,L2 BIW service nodes) to detect failure that is consulted when a BFD_genvalue stored in a connection tracker record does not match a globalBFD_gen value.

The state value “SPI_fail_gen” 1460 is a liveness state value that isused to identify a state of changes to liveness values of service paths(i.e., ordered sets of service nodes) connected to an LR-SR using thelogical service plane (e.g., logical service forwarding element)transport mechanism. In some embodiments, the SPI_fail_gen value isprovided from a controller implementing a central control plane that isaware of service node failures and updates the SPI_fail_gen value uponservice node failure detection. Similarly to the BFD_gen value, theSPI_fail_gen is used to determine whether a SPI_fail_gen valueassociated with a service path identifier that is associated with a UUIDin a policy storage is up-to-date. If the SPI_fail_gen value is notup-to-date, a determination must be made as to whether a service pathcurrently enumerated as a possible service path is still functional. Insome embodiments, a separate storage structure stores a list of failedservice paths that is consulted when a SPI_fail_gen value is notup-to-date (i.e., does not match the stored SPI_fail_gen state value1460).

The state value “SN_gen” 1470 is a liveness state value that is used toidentify a state of changes to liveness values of service nodesconnected using the L3 tunneling transport mechanism. Similarly to theflow_program_gen value, the SN_gen value is used to determine whether aSN_gen value stored in a connection tracker record is a current SN_genvalue and the forwarding information is still valid, or whether theSN_gen value stored in the connection tracker is out-of-date and the SIpre-processor needs to determine if the forwarding information is stillvalid (e.g., to determine if a service node corresponding to the storedIP address is still operational). In some embodiments, a separatestorage structure stores a list of failed L3 service nodes that isconsulted when a SN_gen value stored in a connection tracker record doesnot match a global SN_gen value.

Flow programming table 1129 also stores sets of flow programminginstructions. In some embodiments, a single flow programming instructionreceived from a service node (through its service proxy) generates aflow programming record for each of a forward and reverse direction datamessage flow. Flow programming record set 1480 illustrates a flowprogramming record that updates a pf_value for a forward direction datamessage flow identified by Flow ID 1 (1481) and a reverse direction datamessage flow identified by Flow ID 1′ (1482). Flow ID 1 and flow ID 1′,in some embodiments are identical except for a bit that identifies theflow ID as a forward or reverse data message flow. In some embodiments,the pf_value′ included in the flow programming table record 1480 is anaction value that specifies that the data messages for the data messageflow should be dropped or allowed.

In some embodiments, the flow programming instruction is indicated by aflow programming tag that can specify the following operations (1) NONEwhen no action is required (which causes no flow programming operationto be performed), (2) DROP when no further data messages of this flowshould be forwarded along the service chain and instead should bedropped at the LR-SI classifier, and (3) ACCEPT when no further datamessages of this flow should be forwarded along the service chain andinstead the flow should be forwarded to the destination by the LR-SR. Insome embodiments, the flow programming tag can also specify DROPMESSAGE. The DROP MESSAGE is used when the service node needs tocommunicate with the proxy (e.g. to respond to a ping request) and wantsthe user data message (if any) to be dropped, even though no flowprogramming at the source is desired.

In some embodiments, an additional action is available for the serviceproxies to internally communicate failure of their SVMs. This actionwould direct the SI pre-processor in some embodiments to select anotherservice path (e.g., another SPI) for the data message's flow. Thisaction in some embodiments is carried in-band with a user data messageby setting an appropriate metadata field in some embodiments. Forinstance, as further described below, the service proxies communicatewith the SI post-processor (or a controller computer responsible forgenerating and maintaining lists of available service paths) through OAM(Operation, Administration, and Maintenance) metadata of the NSHattributes through in-band data message traffic over the data plane.Given that by design flow programming actions are affected by signalingdelays and are subject to loss, an SVM or service proxy might still seedata messages belonging to a flow that was expected to be dropped,accepted or re-directed at the source for some time after communicatingthe flow programming action to the proxy. In this case, the serviceplane should continue to set the action to drop, allow, or redirect atthe LR-SI classifier (or the connection tracker record).

Flow programming record set 1480 illustrates a flow programming recordthat updates a set of service metadata for a forward direction datamessage flow identified by Flow ID 2 (1481) and a reverse direction datamessage flow identified by Flow ID 2′ (1482). The updated SPI (e.g., SPI2 or SPI 2′) in some embodiments represents a different set of servicenodes. As discussed above, the updated service path may be based on aservice node failure or based on a determination that a particularservice node is no longer necessary (e.g., a service node that providesa firewall decision to allow the data message that applies to allsubsequent data messages).

Additional details relating to service chain and service path creationand management are discussed in relation to FIGS. 15 and 16. FIG. 15illustrates an object data model 1500 of some embodiments. In thismodel, objects shown in solid lines are provided by the user, whileobjects shown in dashed lines are generated by the service planemanagers and controllers. As shown, these objects include servicemanagers 1502, services 1504, service profiles 1506, vendor templates1507, a service attachment 1508, service instances 1510, servicedeployment 1513, service instance runtime (SIR) 1512, instance endpoint1514, instance runtime port 1516, service chains 1518, service insertionrules 1520, service paths 1522, and service path hops 1524.

In some embodiments, a service manager object 1502 can be created beforeor after the creation of a service object 1504. An administrator or aservice management system can invoke service manager APIs to create aservice manager. A service manager 1502 can be associated with a serviceat any point of time. In some embodiments, the service manager 1502includes service manager information, such as the vendor name, vendoridentifier, restUrl (for callbacks) and authentication/certificateinformation.

As mentioned above, the service plane does not require the presence oruse of a service manager as service nodes can operate in zero-awarenessmode (i.e., have zero awareness of the service plane). In someembodiments, zero-awareness mode only allows basic operations (e.g.,redirecting traffic towards the service's SVMs). In some suchembodiments, no integration is provided to distribute object information(such as service chain information, service profiles, etc.) to theservice manager servers. Instead, these servers can poll the networkmanager for objects of interest.

A service object 1504 represents a type of service that is provided by aservice node. The service object has a transport type attribute, whichspecifies its mechanism (e.g., NSH, GRE, QinQ, etc.) for receivingservice metadata. Each service object also has a state attribute (whichcan be enabled or disabled) as returned by service manager, and areference to a service manager that may be used for exposing REST APIendpoints to communicate events and perform API calls. It also includesa reference to an OVA/OVF attribute used to deploy instances of theservice.

Vendor template objects 1507 include one or more service profile objects1506. In some embodiments, service managers can register vendortemplates, and the service profiles can be defined on a per servicebasis and based on a vendor template with potentially specializedparameters. In some embodiments, a vendor template object 1507 iscreated for a L3 routing service that can be used to represent the LR-SRcomponents with an attribute that can be used to distinguish LR-SRcomponents of different edge forwarding elements. A service chain can bedefined by reference to one or more service profiles. In someembodiments, service profiles are not assigned tags and are notidentified explicitly on the wire. In order to determine which functionto apply to traffic, service nodes perform a look up (e.g., based onservice chain identifier, service index and the service direction, asmentioned above) in order to identify the applicable service profile.The mapping for this lookup is provided by the management plane toservice managers whenever a service chain is created or modified.

A service profile object 1506 in some embodiments includes (1) a vendortemplate attribute to identify its associated vendor template, (2) oneor more custom attributes when the template exposes configurable valuesthrough the service profile, and (3) an action attribute, such as aforward action, or a copy-and-redirect, which respectively direct theservice proxies to either forward the received data messages to theirservice nodes, or to forward a copy of the received data messages totheir service nodes while forwarding the received data message to thenext service hop or back to the original source GVM when their servicenode is the last hop.

The service attachment object 1508 represents the service plane (i.e.,is a representation of the service plane of a perspective of a user,such as tenant's network administrator in a multi-tenant datacenter, orthe network administrator in a private datacenter). This serviceattachment object is an abstraction that support any number of differentimplementations of the service plane (e.g., logical L2 overlay, logicalL3 overlay, logical network overlay etc.). In some embodiments, eachendpoint (on a service instance runtime (SIR) or a GVM) thatcommunicates over the service plane specifies a service attachment. Theservice attachment is a communication domain. As such, services or GVMsoutside a service attachment may not be able to communicate with oneanother.

In some embodiments, service attachments can be used to create multipleservice planes with hard isolation between them. A service attachmenthas the following attributes (1) logical identifier (e.g., SVNI for alogical switch) that identifies a logical network or logical forwardingelement that carries traffic for the service attachment, (2) a type ofservice attachment (e.g., L2 attachment, L3 attachment, etc.), and (3)an applied_To identifier that specifies a scope of the serviceattachment (e.g., Transport node 0 and Transport node 1 for north-southoperations and a cluster or set of hosts for East-West operations). Insome embodiments, the control plane (e.g., a central control plane)converts the service attachment representation that it receives from themanagement plane to a particular LFE or logical network deployment basedon parameters specified by a network administrator (e.g., a datacenteradministrator of a private or public cloud, or network virtualizationprovider in a public cloud).

A service instance object 1510 represents an actual deployed instancefor a service. Hence, each such object is associated with one serviceobject 1504 through a service deployment object 1513 that specifies therelationship between the service object 1504 and the service instanceobject 1510. The deployed service instance can be a standalone servicenode (e.g., standalone SVM) or it can be a high availability (HA)service node cluster. In some embodiments, the service deployment object1513 describes the service instance type, e.g., standalone or HA. Asdescribed below, the service deployment object's API can be used in someembodiments to deploy several service instances for a service.

The service instance runtime (SIR) object 1512 represents an actualruntime service node that operates in a standalone mode, or an actualruntime service node of an HA cluster. The service instance object insome embodiments includes the following attributes (1) a deployment modeattribute that specifies whether the service instance is operating in astandalone mode, an active/standby mode, or an active/active model, (2)a state attribute that specifies whether the instance is enabled ordisabled, and (3) a deployed_to attribute that in the case ofnorth-south operations includes a reference to a service attachmentidentifier.

In some embodiments, SVM provisioning is initiated manually. To thisend, the management plane provides, in some embodiments, APIs for (1)creating a service instance of an existing service, (2) deleting aservice instance, (3) growing a service instance that is alreadyconfigured as a high availability cluster by adding additional SIRs, and(4) shrinking a service instance by removing one of its SIRs. Whencreating a service instance of an existing service, the service instancemay be created in some embodiments on the basis of a template containedin the service. The caller can pick between a stand-alone instance or anHA cluster, in which case all the VMs in the HA cluster are provisioned.Again, in some embodiments, the API for the service instance deploymentallows multiple service instances (e.g., for an HA cluster) to bedeployed through just one API call.

In some embodiments, an API that creates one or more SVMs specifies oneor more logical locations (e.g. clusters, host, resource pool) in whichthe SVMs should be placed. In some embodiments, the management planetries to place SVMs belonging to the same service instance on differenthosts whenever possible. Anti-affinity rules may also be configured asappropriate to maintain the distribution of SVMs across migration events(such as VMotion events supported by Dynamic Resource Scheduler ofVMware, Inc.). Similarly, the management plane may configure affinityrules with specific hosts (or groups of hosts) when available or theuser provisioning the service instance may explicitly pick a host or acluster.

As mentioned above, a service instance runtime object 1512 represents anactual SVM running on a host to implement a service. In embodiments inwhich LR-SRs provide an L3 routing service, the service instance runtimeobject 1512 also represents the edge forwarding element. An SIR is partof a service instance. Each SIR can have one or more traffic interfacescompletely dedicated to service plane traffic. In some embodiments, atleast one service proxy instance runs per SIR to handle data planesignaling and data message format conversion for the SIR as needed. Whena service instance is deployed, the SIRs are created for every SVMassociated with the service instance in some embodiments. The networkmanager also creates an instance endpoint for every service instance inan east-west service insertion. Each SIR object 1512 has the followingattributes in some embodiments (1) a state attribute which is active forSVMs that can process traffic and inactive for all others, regardless ofreason, and (2) a runtime state that specifies whether the data planeliveness detection detects that the SIR is up or down.

The instance runtime interface 1516 is the per-endpoint version of theservice instance endpoint 1514. In some embodiments, the instanceruntime interface 1516 is used to identify an interface for an SIR orGVM that can be the source or sink service plane traffic. In East-Westservice insertion, the lifecycle of an instance runtime interface insome embodiments is linked to the lifecycle of the service instanceruntime. In some embodiments, no user action is required to configure aninstance runtime interface.

In some embodiments, the instance runtime interface 1516 has thefollowing attributes: an endpoint identifier, a type, a reference to aservice attachment, and a location. The endpoint identifier is a dataplane identifier for the SIR VNIC. The endpoint identifier is generatedwhen the SIR or GVM is registered with the service transport layer, andmay be a MAC address or part of a MAC address. The type attribute can beshared or dedicated. SIR VNICs are dedicated, meaning that only serviceplane traffic is able to reach them, while GVM VNICs are shared, meaningthey will receive and transmit both service plane and regular traffic.The service-attachment reference is a reference to the serviceattachment that implements the service plane used to transmit andreceive service plane traffic. This reference in some embodiments is tothe SVNI of the service plane. The location attribute in someembodiments specifies the location of the instance runtime interface,which is the UUID of the host on which the instance runtime interface iscurrently located.

In some embodiments, a user defines a service chain object 1518 in termsof an ordered list of service profiles 1506. In some embodiments, eachservice chain conceptually provides separate paths for forward andreverse traffic directions, but if only one direction is provided atcreation time, the other one is generated automatically by reversingservice profile order. Either direction of the service chain (and evenboth directions) can be empty, meaning no services will process trafficin that direction. In some embodiments, the data plane will perform alookup even for an empty service chain.

Service chains are abstract concepts. They do not point to a specificset of service nodes. Rather, the network controllers that are part ofthe service plane platform automatically generate service paths thatpoint to sequences of service nodes for the service chain and directmessages/flows along the generated service paths. In some embodiments, aservice chain is identified in the management plane or control plane byits UUID, a unique identifier of the service chain. Service nodes areprovided with the meaning of service chain IDs through management planeAPIs received through their service managers. Further details aredescribed in U.S. patent application Ser. No. 16/444,826 filed on Jun.18, 2019.

A service chain tag in some embodiments may be used to identify aservice chain in the dataplane because UUIDs are too long to be carriedin encapsulating headers. A service chain ID in some embodiments is anunsigned integer like rule ID. Each data message redirected to a servicecarries the service chain tag for the service chain it is traversing.The management plane advertises UUID to service chain tag mappings whena service chain is created or modified. Service chain tags have a 1 to 1mapping with service chain UUIDs, whereas a single service chain canhave 0 to many service path indexes.

In addition to a service chain ID, a service chain in some embodimentshas the following attributes: (1) references to all computed servicepaths, (2) failure policies, and (3) references to service profiles.References to computed service paths were described above. The failurepolicy is applied when a service path selected for a service chaincannot be traversed. In some embodiments, the failure policies may bePASS (forward traffic) and FAIL (drop traffic). The references toservice profiles of the service chain may include an egress list ofservice profiles that egress traffic (e.g., data messages traveling froma GVM to a switch) must traverse, and an ingress list of serviceprofiles that ingress traffic (e.g., data messages traveling from theswitch to a GVM) must traverse. In some embodiments, the ingress list isinitialized by default as the reverse of the egress list.

Different techniques can be used in some embodiments to define theservice paths for the service chain. For instance, in some embodiments,a service chain can have an associated load balancing strategy, whichcan be one of the following strategies. The load balancing strategy isresponsible for load balancing traffic across different service paths ofa service chain. According to an ANY strategy, the service framework isfree to redirect the traffic to any service path regardless of any loadbalancing consideration or flow pinning. Another strategy is a LOCALstrategy, which specifies that local service instances (e.g., SVMsexecuting on the same host computer as the source GVM) are to bepreferred over remote service instances (e.g., SVMs executing on otherhost computers or external service appliances).

Some embodiments generate scores for service paths based on how manySIRs are local and the highest score is selected regardless of load.Another strategy is the cluster strategy, which specifies that serviceinstances implemented by VMs that are co-located on the same host arepreferred, whether that host is the local one or a different one. AROUND ROBIN strategy directs that all active service paths are hit withequal probability or based on probabilities that are specified by a setof weight values.

An SI rule object 1520 associates a set of data message attributes witha service chain represented by the service chain object 1518. Theservice chain is implemented by one or more service paths, each of whichis defined by a service path object 1522. Each service path has one ormore service hops, which are represented by one or more service path hopobjects 1524 with each hop being associated with one instance runtimeinterface 1516. Each service hop also refers to an associated serviceprofile, an associated service path, and a next hop SIR endpointidentifier in some embodiments.

In some embodiments, a service path object has several attributes, someof which may be updated by the management or control plane whenunderlying conditions change. These properties include a service pathindex, a state (e.g., enabled or disabled), an administrative mode(e.g., enabled or disabled) used when a service path must be manuallydisabled (e.g., for debugging reasons), a host crossing count(indicating how many times a data message traversing the service pathcrosses hosts), a locality count (indicating how many of the SIRs alongthis path are located on the local host), a list of backup servicepaths, a length of the service path, a reverse path (listing the sameset of SIRs in the reverse order), and a maintenance mode indicator (insome embodiments a bit indicating true if any hop in the service path isin maintenance mode).

The host crossing count is an integer and indicates how many times adata message going through the service path must be sent out of a PNIC.In some embodiments, a local or central control plane uses this metricto determine preferred paths when multiple available alternatives exist.This value is populated by the management plane or control plane and isthe same for each host using the service path. The locality count insome embodiments is not initialized by the management plane or thecontrol plane but rather computed by the local control plane when aservice path is created or updated. Each LCP may potentially compute adifferent number. This value is used by the local control plane toidentify preferred paths when multiple available alternatives exist. Theservice path length is one parameter that is used by the service planeto set the initial service index.

In some embodiments, the list of backup service paths is a pointer to asorted list of all service paths for the same service chain. It listsall possible alternatives to be tried when a specific SIR along the pathis down. This list may contain a service path for all possiblepermutations of SVMs in each HA cluster traversed by the service path.In some embodiments, the list will not contain SIRs belonging todifferent HA clusters.

In some embodiments a service path is disabled when at least one servicehop is inactive. Such a condition is temporary and is triggered byservice liveness detection failures. A service path can be disabled inthis manner at any time. In some embodiments, a service path is alsodisabled when at least one service hop has no matching SIR. The servicehop enters this condition when an SIR it is referring to disappears, butthe service path still exists in the object model.

The service plane must be able to uniquely identify each SPI. In someembodiments, the control plane generated UUIDs are sent for each servicepath. Due to data message header limitations in the service plane, alarge ID is not sent with each data message in some embodiments. In someembodiments, when the control plane generates a UUID for each servicepath, it also generates a small unique ID for it and this ID is sentwith each data message in these embodiments.

To support using LR-SRs as service plane traffic sinks, in someembodiments, the network manager or controller generates an internalservice representing the edge forwarding element and creates a vendortemplate representing L3 routing with a configurable settingrepresenting the LR-SR. For each LR-SR, the network manager orcontroller, in some embodiments, creates (1) a service profilespecializing the L3 routing vendor template, (2) service instances, and(3) service instance endpoints. The network manager or controller thenallows the service profile in service chains and configures failurepolicies for the service paths including the LR-SR. A service linkconnected to the logical service plane is then provisioned for the LR-SRand the data plane is configured to inject service plane traffic intothe regular routing pipeline of the LR-SR.

FIG. 16 conceptually illustrates several operations that the networkmanagers and controllers perform in some embodiments to define rules forservice insertion, next service hop forwarding, and service processing.As shown, these operations are performed by a service registrator 1604,a service chain creator 1606, a service rule creator 1608, a servicepath generator 1612, a service plane rule generator 1610, and a ruledistributor 1614. In some embodiments, each of these operators can beimplemented by one or more modules of a network manager or controllerand/or can be implemented by one or more standalone servers.

Through a service partner interface 1602 (e.g., a set of APIs or apartner user interface (UI) portal), the service registrator 1604receives vendor templates 1605 that specify services that differentservice partners perform. These templates define the partner services interms of one or more service descriptors, including service profiles.The registrator 1604 stores the service profiles in a profile storage1607 for the service chain creator 1606 to use to define service chains.

Specifically, through a user interface 1618 (e.g., a set of APIs or a UIportal), the service chain creator 1606 receives from a networkadministrator (e.g., a datacenter administrator, a tenant administrator,etc.) one or more service chain definitions. In some embodiments, eachservice chain definition associates a service chain identifier, whichidentified the service chain, with an ordered sequence of one or moreservice profiles. Each service profile in a defined service chain isassociated with a service operation that needs to be performed by aservice node. The service chain creator 1606 stores the definition ofeach service chain in the service chain storage 1620.

Through the user interface 1618 (e.g., a set of APIs or a UI portal),the service rule creator 1608 receives from a network administrator(e.g., a datacenter administrator, a tenant administrator, etc.) one ormore service insertion rules. In some embodiments, each serviceinsertion rule associates a set of data message flow attributes with aservice chain identifier. The flow attributes in some embodiments areflow header attributes, like L2 attributes or L3/L4 attributes (e.g.,five tuple attributes). In these or other embodiments, the flowattributes are contextual attributes (e.g., AppID, process ID, activedirectory ID, etc.). Numerous techniques for capturing and usingcontextual attributes for performing forwarding and service operationsare described in U.S. patent application Ser. No. 15/650,251, nowpublished as U.S. Patent Publication 2018/0181423, which is incorporatedherein. Any of these techniques can be used in conjunction with theembodiments described herein.

The service rule creator 1608 generates one or more service insertionrules and stores these rules in the SI rule storage 1622. In someembodiments, each service insertion rule has a rule identifier and aservice chain identifier. The rule identifier in some embodiments can bedefined in terms of flow identifiers (e.g., header attributes,contextual attributes, etc.) that identify data message flow(s) to whichthe SI rule is applicable. The service chain identifier of each SI rule,on the other hand, identifies the service chain that has to be performedby the service plane for any data message flow that matches the ruleidentifier of the SI rule.

For each service chain that is part of a service rule, the service pathgenerator 1612 generates one or more service paths, with each pathidentifying one or more service instance endpoints for one or moreservice nodes to perform the service operations specified by the chain'ssequence of service profiles. In some embodiments, the process thatgenerates the service paths for a service chain accounts for one or morecriteria, such as (1) the data message processing load on the servicenodes (e.g., SVMs) that are candidate service nodes for the servicepaths, (2) the number of host computers crossed by the data messages ofa flow as they traverse each candidate service path, etc.

The generation of these service paths is further described in U.S.patent application Ser. No. 16/282,802, which is incorporated herein byreference. As described in this patent application, some embodimentsidentify the service paths to use for a particular GVM on a particularhost based on one or more metrics, such as host crossing count(indicating how many times a data message traversing the service pathcrosses hosts), a locality count (indicating how many of the SIRs alongthis path are located on the local host), etc. Other embodimentsidentify service paths (i.e., select service nodes for service paths)based on other metrics, such as financial and licensing metrics.

The service path generator 1612 stores the identity of the generatedservice paths in the service path storage 1624. This storage in someembodiments associates each service chain identifier to one or moreservice path identifiers, and for each service path (i.e., each SPI) itprovides a list of service instance endpoints that define the servicepath. Some embodiments store the service path definitions in one datastorage, while storing the association between the service chain and itsservice paths in another data storage.

The service rule generator 1610 then generates rules for serviceinsertion, next service hop forwarding, and service processing from therules stored in storages 1620, 1622 and 1624, and stores these rules inrule storages 1626, 1628 and 1630, from where the rule distributor 1614can retrieve these rules and distribute them to the SI pre-processors,service proxies and service nodes. The distributor 1614 also distributesin some embodiments the path definitions from the service path storage1624. The path definitions in some embodiments includes the first hopnetwork address (e.g., MAC address) of the first hop along each path. Insome embodiments, the service rule generator 1610 and/or the ruledistributor 1614 specify and distribute different sets of service pathsfor the same service chain to different host computers, as differentsets of service paths are optimal or preferred for different hostcomputers.

In some embodiments, the SI classification rules that are stored in therule storage 1626 associate flow identifiers with service chainidentifiers. Hence, in some embodiments, the rule generator 1610retrieves these rules from the storage 1622 and stores them in theclassification rule storage 1626. In some embodiments, the ruledistributor 1614 directly retrieves the classification rules from the SIrule storage 1622. For these embodiments, the depiction of the SIclassification rule storage 1626 is more of a conceptual illustration tohighlight the three types of the distributed rules, along with thenext-hop forwarding rules and the service node rules.

In some embodiments, the service rule generator 1610 generates the nexthop forwarding rules for each hop service proxy of each service path foreach service chain. As mentioned above, each service proxy's forwardingtable in some embodiments has a forwarding rule that identifies the nexthop network address for each service path on which the proxy'sassociated service node resides. Each such forwarding rule maps thecurrent SPI/SI values to the next hop network address. The service rulegenerator 1610 generates these rules. For the embodiments in which theSI pre-processor has to look-up the first hop network address, theservice rule generator also generates the first hop look-up rule for theSI pre-processor.

Also, in some embodiments, the service rule generator 1610 generates forthe service nodes service rules that map service chain identifier,service index values and service directions to service profiles of theservice nodes. To do this, the service rule generator uses the servicechain and service path definitions from the storages 1620 and 1624, aswell as the service profile definitions from the service profile storage1607. In some embodiments, the rule distributor forwards the servicenode rules to a service node through a service manager of the servicenode when such a service manager exists. The service profile definitionsare also distributed by the distributor 1614 to the host computers(e.g., to their LCPs) in some embodiments, so that these host computers(e.g., the LCPs) can use these service profiles to configure theirservice proxies, e.g., to configure the service proxies to forwardreceived data messages to their service nodes, or to copy the receiveddata messages and forward the copies to their service nodes, whileforwarding the original received data messages to their next servicenode hops or back to their source GVMs when they are the last hops.

In some embodiments, the management and control plane dynamically modifythe service paths for a service chain, based on the status of theservice nodes of the service paths and the data message processing loadson these service nodes as described in U.S. patent application Ser. No.16/444,826 filed on Jun. 18, 2019. The components of FIG. 16, in someembodiments, are also used to configure logical forwarding elements touse service chains.

FIG. 17 conceptually illustrates a process 1700 for configuring logicalforwarding elements (e.g., virtual routing and forwarding (VRF)contexts) to connect to logical service forwarding planes. Process 1700,in some embodiments, is performed by a network controller computer toprovide configuration information to the edge device to configure theedge forwarding element to connect to logical service forwarding planes.The process begins by identifying (at 1710) a logical forwarding elementto be connected to the logical service forwarding plane. The logicalforwarding element, in some embodiments, is a logical router component(e.g., an AZG-SR, AZG-DR, VPCG-SR, or VPCG-DR). The logical routercomponents, in some embodiments, are implemented as a virtual routingand forwarding (VRF) context.

For the identified logical forwarding element, a set of servicesavailable at the identified logical forwarding element is identified (at1720). The set of services available at the logical forwarding element,in some embodiments, is defined by an administrator or the controllercomputer based on service insertion rules applicable at the logicalforwarding element. The set of services, in some embodiments, defines aset of service nodes (e.g., service instances) that are connected to thelogical service forwarding plane to provide the set of services.

Once the set of services are identified (at 1720), the process 1700identifies (at 1730) a logical service forwarding plane to connect thelogical forwarding element and the service nodes to provide theidentified set of services. The logical service forwarding element, insome embodiments, is identified by a service virtual network identifier(SVNI) that is selected from multiple SVNIs used in the logical network.In some embodiments, a set of the service nodes providing the identifiedservices are connected to multiple logical service forwarding planesidentified by multiple SVNIs. The different SVNIs, in some embodiments,are used to distinguish traffic for different tenants.

The process 1700 then generates (at 1740) configuration data toconfigure the logical forwarding element to connect to the identifiedlogical service forwarding plane. In some embodiments, the configurationdata includes an interface mapping table that maps logical forwardingelements (e.g., VRF contexts) to interfaces of logical serviceforwarding planes. The interface mapping table, in some embodiments, isused by the logical forwarding elements to identify an interface to useto forward data messages to service nodes connected to the logicalservice forwarding plane.

The process 1700 then determines (at 1750) if additional logicalforwarding elements need to be configured to connect to a logicalservice forwarding plane. If an additional logical forwarding elementneeds to be required, the process 1700 returns to operation 1710 toidentify a next logical forward element that requires connection to alogical service forwarding element. If no additional logical forwardingelement needs to be configured, the process 1700 provides (at 1760) theconfiguration data to a set of edge devices on which the set ofidentified logical forwarding elements (e.g., edge forwarding elements)is implemented. In some embodiments, the configuration data includesservice-insertion data for configuring the logical forwarding element asdescribed above and also includes service forwarding data forconfiguring logical software forwarding elements that implements logicalservice forwarding planes associated with the logical forwardingelements implemented by the set of edge devices.

FIG. 18 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules 1135 called by aservice router at either T0 or T1 (e.g., TX SR 1130) for a first datamessage 1810 in a data message flow that requires services from aservice node reachable through a tunneling mechanism (e.g., a virtualprivate network). The basic operations for service classification by theSI pre-processor are as described above for FIG. 11. FIG. 18 illustratesthat a UUID identifies a virtual tunnel interface (VTI) or otheridentifier for a service node accessed through a VPN. In someembodiments, the UUID is associated with multiple service nodes and aset of selection metrics. The selection metrics can be selection metricsfor a load balancing operation that is any of: a round robin mechanism,a load-based selection operation (e.g., selecting a service node with alowest current load), or a distance-based selection operation (e.g.,selecting a closest service node as measured by a selected metric).

Once a service node is selected, the process identifies forwardinginformation associated with the selected service node by performing alookup in forwarding table 1138. The forwarding table 1138 storesforwarding information for the service node (e.g., an IP address of theVTI). The IP address associated with the selected service node, in otherembodiments, are stored with the VTI or service node identifier in thepolicy table 1137 and the forwarding table 1138 is unnecessary.

In some embodiments, selecting a service node for a forward directiondata message flow includes selecting the same service node for a reversedirection data message flow. In such embodiments, forwarding information(e.g., the IP address of the selected service node) for each directionis determined at this point. Once the service node has been selected andthe forwarding information has been identified, connection trackerrecords are created for the forward and reverse direction flows and areprovided to the connection tracker storage 1121. As discussed below, theconnection tracker record includes the forwarding information (e.g., theIP address for the interface), a service action (if a service action isdefined for the data message flow), and a service insertion ruleidentifier for the service insertion rule that was identified asmatching the attributes of data message 1810. In some embodiments, theconnection tracker record includes a service insertion type identifier.In some embodiments a service node state value (e.g., SN_gen) isincluded in the connection tracker record as described above in relationto FIGS. 11 and 14. The information stored in the connection trackerrecord is used to process subsequent data messages in the forward andreverse data message flows.

The data message 1822 along with the forwarding information 1821 arethen provided to the STL module 1122. The forwarding information, inthis example, for a data message requiring services provided by aservice node accessed through a VPN includes, in some embodiments, anext hop IP address for the virtual tunnel interface and a serviceinsertion type identifier to identify the data message as using atunneling transport mechanism.

The service routing processor 1125 as shown routes the data message tothe VTI based on the IP address identified by the SI pre-processor 1120.In some embodiments, the data message 1831 is provided to the VTI withthe original source and destination IP addresses as well as an originaldata message source and destination port. In other embodiments, thedestination IP address is changed to the IP address of the VTI with theoriginal destination IP address stored in a metadata storage of the edgeforwarding element to be used by the edge forwarding element to restorethe destination IP address of the serviced data message after it isreceived from the service node. The VTI receives data message 1831 andthe processing pipeline, in some embodiments, encrypts and encapsulatesthe data message to be delivered over the VPN as data message 1851. Areturn data message is then received at the VTI and processed asdescribed above for the return data message of FIG. 11.

FIG. 19 illustrates a set of operations performed by a set of serviceinsertion layer and service transport layer modules 1135 called by aservice router at either T0 or T1 (e.g., TX SR 1130) for a first datamessage 1910 in a data message flow that requires services from aservice node reachable through a L2 BIW mechanism. The basic operationsfor service classification by the SI pre-processor are as describedabove for FIG. 11.

FIG. 19 illustrates that a UUID identifies a service node accessedthrough a L2 BIW transport mechanism. In some embodiments, the UUID isassociated with multiple service nodes and a set of selection metrics.The selection metrics can be selection metrics for a load balancingoperation that is any of: a round robin mechanism, a load-basedselection operation (e.g., selecting a service node with a lowestcurrent load), or a distance-based selection operation (e.g., selectinga closest service node as measured by a selected metric).

Once a service node is selected, the process identifies forwardinginformation associated with the selected service node by performing alookup in forwarding table 1138. The forwarding table 1138 storesforwarding information for the service node (e.g., a set of dummy IPaddresses of interfaces of the TX SR 1130). The dummy IP addresses insome embodiments, are a set of source and destination IP addresses thatare associated with first and second virtual interfaces (VIs) of the BIWpair interfaces 1126 that are each connected to the same service node.The dummy IP addresses associated with the selected service node, inother embodiments, are stored with the service node identifier in thepolicy table 1137 and the forwarding table 1138 is unnecessary.

In some embodiments, selecting a service node for a forward directiondata message flow includes selecting the same service node for a reversedirection data message flow. For L2 BIW, the forwarding information fora forward direction data message flow, in some embodiments, identifiesthe same dummy IP addresses as for the forward direction data messageflow but identifies the source IP address for the forward direction datamessage as a destination IP address for a reverse direction data messageand a destination IP address as a source IP address. Once the servicenode has been selected and the forwarding information has beenidentified, connection tracker records are created for the forward andreverse direction flows and are provided to the connection trackerstorage 1121. As discussed below, the connection tracker record includesthe forwarding information (e.g., the dummy IP address for thedestination interface), a service action (if a service action is definedfor the data message flow), and a service insertion rule identifier forthe service insertion rule that was identified as matching theattributes of data message 1910. In some embodiments, the connectiontracker record includes a service insertion type identifier. In someembodiments a service node state value (e.g., BFD_gen) is included inthe connection tracker record as described above in relation to FIGS. 11and 14. The information stored in the connection tracker record is usedto process subsequent data messages in the forward and reverse datamessage flows.

The data message 1922 along with the forwarding information 1921 arethen provided to the STL module 1122. The forwarding information, inthis example, for a data message requiring services provided by aservice node accessed through a L2 BIW connection includes, in someembodiments, a set of next hop dummy IP addresses for the virtualinterfaces and a service insertion type identifier to identify the datamessage as using a L2 BIW transport mechanism.

The STL module 1122 as shown provides the data message to the interfacein the BIW paired interfaces 1126 identified as a source interface basedon the dummy IP address identified by the SI pre-processor 1120. In someembodiments, the data message 1932 is provided to source interface(associated with MAC address MAC 1) in the BIW interface pair 1126 withthe original source and destination IP addresses but with source anddestination MAC addresses of the BIW interface pair 1126 associated withthe L2 BIW service node. The data message is then processed by the L2service node that returns the serviced data message to the interface inthe BIW interface pair identified as the destination interface(associated with MAC address MAC 2). The returned data message is thenprocessed as described above for the return data message of FIG. 11.

As discussed above, the transport mechanisms, in some embodiments,include a tunneling mechanism (e.g. a virtual private network (VPN),internet protocol security (IPSec), etc.) that connects the edgeforwarding element to at least one service node through a correspondingset of virtual tunnel interfaces (VTIs). In addition to the VTIs used toconnect the edge forwarding element to the service nodes, the edgeforwarding element uses other VTIs to connect to other network elementsfor which it provides forwarding operations. At least one VTI used toconnect the edge forwarding element to other (i.e., non-service node)network elements is identified to perform a service classificationoperation and is configured to perform the service classificationoperation for data messages received at the VTI for forwarding. The VTIsconnecting the edge forwarding element to the service nodes, in someembodiments, are not configured to perform a service classificationoperation and are instead configured to mark data messages returned tothe edge forwarding element as having been serviced. In otherembodiments, VTIs connecting the edge forwarding element to the servicenodes are configured to perform limited service classificationoperations using a single default rule that is applied at the VTI thatmarks data messages returned to the edge forwarding element as havingbeen serviced.

For traffic exiting a logical network through a particular VTI, someembodiments perform a service classification operation for differentdata messages to identify different VTIs that connect the edgeforwarding element to a service node to provide services required by thedata messages. Each data message, in some embodiments, is then forwardedto the identified VTI to receive the required service (e.g., from theservice node connected to the edge forwarding element through the VTI).The identified VTI does not perform a service classification operationand merely allows the data message to reach the service node. Theservice node then returns the serviced data message to the edgeforwarding element. In some embodiments, the VTI is not configured toperform the service classification operation and is instead configuredto mark all traffic directed to the edge forwarding element from theservice node as having been serviced. The marked serviced data messageis then received at the edge forwarding element and is forwarded to adestination of the data message through the particular VTI. In someembodiments, the particular VTI does not perform additional serviceinsertion operations because the data message is marked as having beenserviced.

In some embodiments, the service classification operation is implementedseparately from a service classification operation for non-tunneledtraffic received at an uplink interface of the edge forwarding element.The different implementation, in some embodiments, is due to the factthat the tunneled data messages are received at the uplink interface inan encapsulated and encrypted format that, if processed by the uplinkservice classification operation would result in an incorrect serviceclassification (e.g., an incorrect identification of a necessary set ofservices and forwarding information for the underlying (encapsulated)data message flow). Therefore, some embodiments, implement a serviceclassification operation as part of the VTI datapath after an incomingdata message has been decapsulated (and decrypted, if necessary) or foroutgoing data messages before encryption and encapsulation.

FIGS. 20A-B and 21A-B conceptually illustrate a data message flowthrough the system described above. FIGS. 20A-B conceptually illustratea data message being sent from a compute node 2060 in a logical network2003 (e.g., logical network A) implemented in a cloud environment 2002to a compute node 2080 in an external datacenter 2001. Compute node 2080in data center 2001 is connected to the logical network using a VPN(i.e., a tunneling mechanism) 2005 through external network 2004 to thelogical network 2003. The tunnel, in some embodiments, uses the physicalinterface that is identified as an uplink interface of the edge deviceexecuting an edge forwarding element, but is logically identified as aseparate interface of the edge forwarding element. For the sake ofconceptual clarity, the different logical interfaces and associatedservice classification operations are presented to represent the logicalstructure of the network. Additionally, internal elements of data center2001 beyond the tunnel endpoint and destination compute node 2080 arealso omitted for clarity.

The communication from compute node 2060 to 2080 begins with standardlogical processing through the elements of logical network 2003.Accordingly, the compute node 2060 provides the data message to tenantdistributed router 2040 using logical switch 2050. In some embodiments,both the logical switch 2050 and the tenant distributed router 2040 areimplemented by a local managed forwarding element on a same host ascompute node 2060. VPC distributed router 2040 in turn routes the datamessage to VPC service router 2030 using, in some embodiments, a transitlogical switch (not shown) as described in relation to FIGS. 4-6. TheVPC service router 2030 routes the data message to availability zonedistributed router 2020. As described above, VPC service router 2030, insome embodiments, executes on a first edge device that also implementsthe availability zone distributed router 2020 and, in other embodiments,executes on a same edge device as availability zone service router 2010.The availability zone distributed router 2020 in turn routes the datamessage to availability zone service router 2010 using, in someembodiments, a transit logical switch (not shown) as described inrelation to FIGS. 4-6.

The availability zone service router 2010 then routes the data messageto the VTI as the next hop for the data message. As part of the VTIprocessing pipeline, an SI classifier 2007 (e.g., a VTI-SI classifier)performs a service classification operation before encryption andencapsulation that, based on a service insertion rule applied at theVTI, identifies that the data message requires a service that isprovided by L3 service node 2070 that sits outside of the logicalnetwork 2003. The SI classifier identifies the VTI associated with VPN2006 as the next hop towards the L3 service node 2070 and sends the datamessage for processing. The SI classifier sitting between theavailability zone service router 2010 and VPN 2006 does not performservice classification operations on service insertion traffic and thedata message arrives at the L3 service node 2070 which performs aservice on the data message.

FIG. 20B illustrates the serviced data message being returned to theavailability zone service router 2010 to be routed to the destinationcompute node 2080 over VPN 2005. Although shown as post-serviceinsertion traffic from the L3 service node 2070, in some embodiments,marking the data message as serviced (i.e., post-SI) is done at the SIclassifier sitting between VPN 2006 and availability zone service router2010 based on a default rule that is the only SI rule applied at the SIclassifier. In other embodiments, the marking is a part of theprocessing pipeline configured for each interface connecting to an L3service node without a service classification operation. For this datamessage the SI classifier sitting between the availability zone servicerouter 2010 does not perform a second service classification operationbased on the data message being marked as serviced and the data messageis processed (encapsulated or encrypted and encapsulated) for deliveryto compute node 2080 over VPN 2005. In some embodiments in which a tagis used to mark the data message as serviced, after the SIclassification operation is bypassed based on the tag, further pipelineprocessing removes the tag. In other embodiments, marking the datamessage as serviced is a tag stored in local metadata associated withthe data message and is deleted once the data message has completedprocessing for delivery to an external network at the availability zoneservice router 2010.

FIGS. 21A-B conceptually illustrate a data message being sent from acompute node 2080 in an external datacenter 2001 to a compute node 2060in a logical network 2103 (e.g., logical network A) implemented in acloud environment 2002. The components of FIGS. 20A-B and 21A-B are thesame and if the data message sent in FIGS. 20A-B is considered a forwarddirection data message flow, then the data message sent in FIGS. 21A-Bcan be considered a reverse direction data message flow. Thecommunication begins by having the compute node 2080 send a data messageto the tunnel endpoint in data center 2001 that connects to the VPN 2005(again ignoring the internal components of data center 2001). The datamessage is encapsulated (or encrypted and encapsulated) and is sent overexternal network 2004 using VPN 2005. The data message is then logicallyprocessed to arrive at the VTI and to undergo a processing pipeline ofthe VTI. The data message is unencapsulated and, if necessary, decryptedat which point the SI classifier 2007 performs a service classificationoperation to determine if any service is required for the data message.

The SI classifier 2007 determines that, based on a service insertionrule applied at the VTI, the data message requires a service that isprovided by L3 service node 2070. The SI classifier identifies the VTIassociated with VPN 2006 as the next hop towards the L3 service node2070 and sends the data message for processing. The SI classifiersitting between the availability zone service router 2010 and VPN 2006does not perform service classification operations on service insertiontraffic and the data message arrives at the L3 service node 2070 whichperforms a service on the data message.

FIG. 21B illustrates the serviced data message being returned to theavailability zone service router 2010 to be routed to the destinationcompute node 2060 through the elements of logical network 2103. Althoughshown as post-service insertion traffic from the L3 service node 2070,in some embodiments, marking the data message as serviced (i.e.,post-SI) is done at the SI classifier sitting between VPN 2006 andavailability zone service router 2010 based on a default rule that isthe only SI rule applied at the SI classifier. In other embodiments, themarking is a part of the processing pipeline configured for eachinterface connecting to an L3 service node without a serviceclassification operation. In some embodiments in which a tag is used tomark the data message as serviced, the availability zone service router2010 processing removes the tag before forwarding the data message tothe availability zone distributed router 2020. As discussed below inrelation to FIG. 31, some embodiments require the serviced tag to crosslogical router boundaries to avoid redundant service classificationoperations at a VPC service router. In other embodiments, marking thedata message as serviced is a tag stored in local metadata associatedwith the data message and is deleted once the data message has completedprocessing for delivery to the next hop router component (e.g., theavailability zone distributed router 2020). The data is then deliveredto the compute node 2060 through the logical network including VPCservice router 2030, VPC distributed router 2040, and logical switch2050.

FIG. 22 conceptually illustrates a first method for providing servicesfor data messages at an uplink interface in a set of uplink interfaces.In some embodiments, the data message is received from a source in theexternal network 2004 and is destined for a destination in the externalnetwork 2004, but requires services provided at the edge forwardingelement of the logical network 2203. The services in the embodimentdepicted in FIG. 22 are provided by service chain service nodes 2270 a-cusing a logical service forwarding plane transport mechanism (e.g.,logical service forwarding element 2209). One of ordinary skill in theart will understand that alternative transport mechanisms are used inother embodiments. In the depicted embodiment, a data message arrives ata first uplink interface with an external network 2004, and a serviceclassification operation occurs at SI classifier 2007 that determines,based on a service insertion rule that applies to the data messagereceived at the uplink interface, that a set of services is required andidentifies forwarding information (e.g., SPI, next hop MAC, etc. asdescribed above) to access the required set of services.

The service classification operation, in the illustrated embodiment isprovided before a routing operation of the availability zone servicerouter 2010. Based on the identified forwarding information, theavailability zone service router 2010 provides the data message toservice chain service node 2270 a to provide a first service to the datamessage and pass the data message along to a next hop in a service path(i.e., service chain service node 2270 b). In some embodiments, theavailability zone service router 2010 identifies a service chain servicenode functionality provided by the availability zone service router 2010as a first hop that then routes the data message to the service chainservice node 2270 a. In either embodiment, after receiving the datamessage from service chain service node 2270 a, service chain servicenode 2270 b provides a next service in the service chain and providesthe data message to service chain service node 2270 c to provide anadditional service and to identify the service chain service nodefunctionality provided by the availability zone service router 2010 asthe last hop in the service path. Each data message sent between servicechain service nodes (e.g., SVMs) uses the logical service forwardingelement 2209 and, in some embodiments, involves service proxies andservice transport layer modules not shown here for the sake of clarity.The use of service proxies and service transport layer modules aredescribed in more detail above in relation to FIG. 11 and in relatedU.S. patent application Ser. No. 16/444,826.

The serviced data message is then routed to a destination in theexternal network 2004 by the availability zone service router 2010. Therouting identifies a second uplink interface with the external network2004 and provides the serviced data message with a tag or metadataidentifying the data message as a serviced data message. Based on theidentification, the service classifier at the second uplink interfacedoes not provide an additional service classification operation, and thedata message is forwarded to the destination. As discussed above, insome embodiments using a tag to identify the data message as a serviceddata message, the tag is removed before the data message is sent overthe uplink interface.

FIG. 23 conceptually illustrates a second method for providing servicesfor data messages at an uplink interface in a set of uplink interfaces.In some embodiments, the data message is received from a source in theexternal network 2004 and is destined for a destination in the externalnetwork 2004, but requires services provided at the edge forwardingelement of the logical network 2203. The services in the embodimentdepicted in FIG. 23 are provided by service chain service nodes 2270 a-cusing a logical service forwarding plane transport mechanism (e.g.,logical service forwarding element 2209). One of ordinary skill in theart will understand that alternative transport mechanisms are used inother embodiments. In the depicted embodiment, a data message arrives ata first uplink interface with an external network 2004, and a serviceclassification operation at SI classifier 2007 fails to identify anyrequired set of services as the service classification rule is definedonly for data messages received (in either ingress or egress directions)for the second uplink interface. So, in this embodiment, the SIclassifier for the first uplink interface provides the data message toavailability zone service router 2010 with no service insertionforwarding information. The availability zone service router 2010 routesthe data message to the second uplink interface based on a destinationIP address of the data message and the SI classifier of the seconduplink interface determines, based on a service insertion rule thatapplies to the data message received at the second uplink interface,that a set of services is required and identifies forwarding information(e.g., SPI, next hop MAC, etc. as described above) to access therequired set of services. The rest of the data message processingproceeds as in FIG. 22 above.

FIG. 24 conceptually illustrates a logical network 2203 that providesservice classification operations at multiple routers of the logicalnetwork. As in FIG. 22, a first service classification operationperformed before the availability zone service router 2010 identifies aset of services required by the data message. In this example, the setof services includes services provided by the service chain servicenodes 2270 a and 2270 b. The availability zone service router 2010router provides the data message to service chain service node 2270 a asdescribed above, which provides the service and provides the serviceddata message to the service chain service node 2270 b which provides anadditional service and returns the data message to the availability zoneservice router 2010. In the illustrated embodiment, the availabilityzone service router 2010 removes a tag identifying the data message as aserviced data message and forwards the data message to VPC servicerouter 2030 (through availability zone distributed router 2020).

Prior to being routed by VPC service router 2030, SI classifier 2007associated with the VPC service router 2030 performs a serviceclassification operation that determines, based on a service insertionrule that applies to the data message received at the VPC service router2030 uplink interface, that a set of services is required and identifiesforwarding information (e.g., SPI, next hop MAC, etc. as describedabove) to access the required set of services. The data message isprovided to the VPC service router 2030 which uses the forwardinginformation to provide the data message to service chain service node2270 c which returns the serviced data message to the VPC service router2030. The VPC service router 2030 then routes the serviced data messageto the destination compute node 2060.

FIG. 25 conceptually illustrates an edge forwarding element (AZG servicerouter 2010) connected to service nodes 2570 a-e using multipletransport mechanisms. Logical network 2503 includes the same logicaledge forwarding elements as FIGS. 20A-B: availability zone servicerouter 2010, availability zone distributed router 2020, VPC servicerouter 2030, and VPC distributed router 2040. In some embodiments, thedifferent router components are each defined as a separate VRF context.Dashed and dotted line boxes in FIG. 25 indicate edge devices thatimplement different edge forwarding element components. In theillustrated embodiment, different edge devices implement availabilityzone and VPC service routers, however the availability zone distributedrouter is implemented by both an availability zone edge device and a VPCedge device for ingress and egress data messages respectively, asexplained in relation to FIG. 10. Similarly, VPC distributed router 2040is implemented by both the VPC edge device and the hosts for ingress andegress data messages respectively. As shown, availability zone servicerouter 2010 connects to (1) a set of service chain service nodes 2570a-c over a logical service forwarding plane (or logical service plane(LSP)) 2509 through a service link 2508, (2) a set of L3 service nodes2570 d through a set of VPNs 2505, and (3) a set of L2 BIW service nodes2570 e through a set of interfaces. The availability zone service router2010 uses the service nodes to provide services as described above inrelation to FIGS. 11, 12, 18, and 19. Because different data messagesrequire different services provided by different types of service nodes,some embodiments provide services using multiple service transportmechanisms to access the different types of service nodes as shown inFIG. 25.

FIGS. 26 and 27 conceptually illustrate logical networks in whichmultiple logical service forwarding planes are configured for differentservice routers. FIG. 26 illustrates a logical network 2603 includingthree VPC service routers 2630 belonging to two different tenants.Logical network 2603 also illustrates three logical service forwardingplanes 2609 a-c connected to the VPC service routers 2630 one of which(2609 c) also connects to an availability zone service router 2010. Thedifferent logical service forwarding planes 2609 a-c connect todifferent sets of service chain service nodes. In the embodiment of FIG.26, the service chain service nodes 2670 a-c are used by VPC servicerouters 2630 of Tenant 1 while the service chain service nodes 2670 d-gare shared by availability zone service router 2010 and VPC servicerouter 2630 of Tenant 2.

FIG. 27 illustrates a logical network 2703 including three VPC servicerouters 2630 belonging to three different tenants. Logical network 2703also illustrates four logical service forwarding planes 2709 a-cconnected to the VPC service routers 2630 one of which (2709 c) alsoconnects to an availability zone service router 2010 and a logicalservice forwarding plane 2709 d that is a second logical serviceforwarding plane that connects only to the availability zone servicerouter 2010. Logical service forwarding planes 2709 a and 2709 b connectto a common set of service chain service nodes (2770 a-c) while logicalservice forwarding planes 2709 c and 2709 d connect to distinct sets ofservice chain service nodes. In the embodiment of FIG. 27, the servicechain service nodes 2770 a-c are used by VPC service routers 2630 ofboth Tenant 1 and Tenant 2. While the shared service chain nodes 2770a-c are used by two different tenants, the data message traffic for eachtenant is kept separate by using different logical service forwardingplanes 2709 a and 2709 b. As in FIG. 26, the service chain service nodes2770 d-g are shared by availability zone service router 2010 and VPCservice router 2630 of Tenant 3. However, in FIG. 27 the availabilityzone service router 2010 has a second logical service forwarding plane2709 d to which it connects that is not shared by a VPC service router2630. As discussed below in relation to FIGS. 30 and 31 below, theservice chain service nodes 2770 h-j, in some embodiments, areaccessible to the VPC service router 2630 of Tenant 3 if theavailability zone service router 2010 is configured to provide a L3routing service as a service chain service node.

FIG. 28 conceptually illustrates a process for accessing servicesprovided at an availability zone edge forwarding element from a VPC edgeforwarding element. Process 2800, in some embodiments, is performed by aVPC edge forwarding element (e.g., a VPC service router). In someembodiments, the process is performed by a service classificationoperation of the VPC edge forwarding element. The process 2800 begins byreceiving (at 2810) a data message at an uplink interface of the VPCservice router. In some embodiments, the data message is received fromthe VPC service router after a routing operation of the VPC servicerouter, while in other embodiments, the data message is received from anavailability zone distributed router.

The service classification operation determines (at 2820) that the datamessage requires a service provided at the availability zone servicerouter. In some embodiments, the service classification operationperforms the operations of process 100 to determine that the datamessage requires the service and to identify (at 2830) forwarding datafor the data message. The forwarding information identified for the datamessage, in some embodiments, includes service metadata (SMD) used tosend the data message over a logical service forwarding plane to theavailability zone service router and additional service metadata fordirecting the availability zone service router to redirect the datamessage to a particular service node or set of service nodes. In someembodiments, the additional service metadata takes the form of argumentsof a function call to a function exposed at the availability zoneservice router.

The data message is then sent (at 2840) to the availability zone servicerouter over the logical service forwarding plane along with the servicemetadata identifying the required additional services. FIG. 29conceptually illustrates a process 2900 for the availability zoneservice router to perform when it receives a data message from the VPCservice router as part of process 2800. Process 2900 begins by receiving(at 2910) the data message sent (at 2840) from the VPC service router tobe serviced. The data message is received over the logical serviceforwarding plane at a service link of the availability zone servicerouter.

Once the data message is received by the availability zone servicerouter, the availability zone service router determines (at 2920) thatthe data message requires a routing service to at least one additionalservice node. In some embodiments, the determination is made based onthe additional metadata provided by the VPC service router, while inother embodiments, the determination is made based on an argument of afunction call to a function (e.g., an API) made available at theavailability zone service router.

Once the determination that the data message requires a routing serviceto at least one additional service node is made (at 2920), theavailability zone service router provides (at 2930) the service based onthe received metadata. In some embodiments, the service is provided bythe service node functionality of the service router and the service isprovided without redirection. In other embodiments, the service isprovided by a set of service nodes reachable through one of thetransport mechanisms described above and the data message is redirectedto the service node using the appropriate transport mechanism. Once thedata message is redirected to the service node, the process proceedsmuch like the process of FIG. 11, 12, 18, or 19 depending on thetransport mechanism used to redirect the data message.

The serviced data message is received at the availability zone servicerouter (at 2940) and is marked as a serviced data message. As mentionedabove, in this embodiment, an identification of the data message asbeing serviced must be carried through the availability zone servicerouter and distributed router so that the SI classifier of the VPCservice router does not apply the same service insertion rule andredirect the data message to the same destination and get stuck in aloop. In embodiments in which the availability zone service router andthe VPC service router are implemented in a same edge device, metadataidentifying the data message as serviced is stored in a shared metadatastorage that is used by the VPC service router SI classifier to identifya data message as serviced.

The data message is then routed (at 2950) to the destination. In someembodiments, the data message is routed to an external destination or aVPC service router that is different than the VPC service router withoutbeing returned to the VPC service router that sent the data message tothe availability zone service router. In other embodiments, for datamessages that were originally destined to a compute node in the networksegment reached through the VPC service router (e.g., a southbound datamessage) the data message is routed to the VPC service router from whichthe data message was received. After routing the data message, theprocess 2900 ends. In an embodiment in which the data message is routedtowards the VPC service router from which the data message was received,the process 2800 receives (at 2850) the serviced data message identifiedas a serviced data message and the SI classifier does not perform aservice classification operation based on the marking. The data messageis then received at the VPC service router and is routed to the datamessage's destination.

FIG. 30 conceptually illustrates a VPC service router 3030 processing adata message sent from a first compute node 3060 a to a second computenode 3060 b in a second network segment served by a second VPC servicerouter 3030. The data message is processed through the logical switch3050 connected to the source compute node 3060 a, the VPC distributedrouter 3040, and the VPC service router 3030 before encountering a SIclassifier 2007 that determines, as described above in relation to FIG.28, that the data message should be sent to the availability zoneservice router 2010 for having a service provided by L3 service node3070. The data message is then sent over the logical service forwardingplane to the availability zone service router 2010 which redirects thedirection to the identified service node (e.g., L3 service node 3070).The data message is then returned to the availability zone servicerouter 2010 and routed to compute node 3060 b as described above.

In some embodiments, sending the data message to the availability zoneservice router 2010 using the logical service forwarding plane includessending the data message through a layer 2 interface 3005 of a softwareswitch executing on the same device as the service router. The softwareswitch is used to implement the logical service forwarding element(e.g., LSFE 801) represented by LSP 3009. In some embodiments, theconnection to the AZG service router 2010 is mediated by a service proxyimplemented by the AZG service router 2010 to comply with industrystandard service insertion protocols.

FIG. 31 conceptually illustrates a VPC service router 3030 processing adata message sent from an external network 2004 to a compute node 3060.The data message is processed through the availability zone servicerouter 2010 and the availability zone distributed router 2020 beforeencountering a SI classifier 2007 that determines, as described above inrelation to FIG. 28, that the data message should be sent to theavailability zone service router 2010 for having a service provided byL3 service node 3070. The data message is then returned to theavailability zone service router 2010 and routed to compute node 3060.In routing the data message to the compute node 3060, the data messagetraverses the SI classifier 2007, but no service classificationoperation is performed because the serviced data message is identifiedas a serviced data message that does not require a serviceclassification operation. The data message is then processed through theVPC service router 3030, the VPC distributed router 3040, and thelogical switch 3050 and delivered to the destination compute node 3060.

Some embodiments facilitate the provision of a service reachable at avirtual internet protocol (VIP) address. The VIP address is used byclients to access a set of service nodes in the logical network. In someembodiments, data messages from client machines to the VIP are directedto an edge forwarding element at which the data messages are redirectedto a load balancer that load balances among the set of service nodes toselect a service node to provide a service requested by the clientmachine. The load balancer, in some embodiments, does not change thesource IP address of the data message received from the client machineso that the service node receives a data message to be serviced thatidentifies the client machine IP address as a source IP address. Theservice node services the data message and sends the serviced datamessage to the client machine using the IP address of the service nodeas a source IP address and the IP address of the client node as thedestination IP address. Because the client sent the original address tothe VIP address, the client will not recognize the source IP address ofthe serviced data message as being a response to the request sent to theVIP address and the serviced data message will not be processedappropriately (e.g., it will be dropped, or not associated with theoriginal request).

Facilitating the provision of the service, in some embodiments, includesreturning the serviced data message to the load balancer to track thestate of the connection using the service logical forwarding element. Touse the service logical forwarding element, some embodiments configurean egress datapath of the service nodes to intercept the serviced datamessage before being forwarded to a logical forwarding element in thedatapath from the client to the service node, and determine if theserviced data message requires routing by the routing service providedas a service by the edge forwarding element. If the data messagerequires routing by the routing service (e.g., for serviced datamessages), the serviced data message is forwarded to the edge forwardingelement over the service logical forwarding element. In someembodiments, the serviced data message is provided to the edgeforwarding element along with the VIP associated with the service, inother embodiments, the edge forwarding element determines the VIP basedon a port used to send the data message over the service logicalforwarding element. The VIP is used by the edge forwarding element toidentify the load balancer associated with the serviced data message.The serviced data message is then forwarded to the load balancer for theload balancer to maintain state information for the connection to whichthe data message belongs and modify the data message to identify the VIPas the source address for forwarding to the client.

FIGS. 32A-B illustrate a set of data messages for providing a serviceaddressable at a VIP to a client served by a same virtual private cloudgateway (e.g., a VPCG service and distributed router). FIG. 32Aillustrates a logical network 3203 including two logical switches 3250 aand 3250 b serviced by a same VPC service router 3230. Logical switch3250 a connects to a set of guest virtual machines (GVMs) 3261-3263 thatprovide a service reachable at a virtual IP (VIP) address. In someembodiments, the GVMs provide content instead of providing a service.Logical switch 3250 b connects to client 3290 that accesses the servicesavailable at the VIP. FIG. 32A illustrates a first data message sentfrom the client 3290 to the VIP address. The data message is forwardedto the VPC service router 3230 which identifies a load balancer 3271 asthe next hop for the VIP address. The load balancer 3271 then performs aload balancing operation to select a GVM 3261 from the set of GVMs3261-3263. The load balancer 3271 changes the destination IP addressfrom the VIP to the IP address of the selected GVM 3261.

FIG. 32B illustrates the GVM 3261 returning the serviced data message tothe client device 3290. The serviced data message is intercepted at aservice insertion (SI) pre-processor as described in U.S. patentapplication Ser. No. 16/444,826 that redirects the data message over thelogical service forwarding plane 3209 to the VPC service router. In someembodiments, the pre-processor is configured to redirect all datamessages over the logical service forwarding plane to the VPC servicerouter. The serviced data message, in some embodiments, is sent to theVPC service router along with metadata identifying the VIP to which thedata message was originally sent. In other embodiments, the VPC servicerouter identifies a destination for the data message based on attributesof the data messages (e.g., a port, or source address). The VPC servicerouter 3230 routes the data message to the load balancer 3271. The loadbalancer 3271, in some embodiments, stores state information for thedata message flow which it uses to update a source IP Address to be theVIP address and send the data message to the client 3290 with a sourceIP address that is recognized by the client 3290.

Many of the above-described features and applications are implemented assoftware processes that are specified as a set of instructions recordedon a computer readable storage medium (also referred to as computerreadable medium). When these instructions are executed by one or moreprocessing unit(s) (e.g., one or more processors, cores of processors,or other processing units), they cause the processing unit(s) to performthe actions indicated in the instructions. Examples of computer readablemedia include, but are not limited to, CD-ROMs, flash drives, RAM chips,hard drives, EPROMs, etc. The computer readable media does not includecarrier waves and electronic signals passing wirelessly or over wiredconnections.

In this specification, the term “software” is meant to include firmwareresiding in read-only memory or applications stored in magnetic storage,which can be read into memory for processing by a processor. Also, insome embodiments, multiple software inventions can be implemented assub-parts of a larger program while remaining distinct softwareinventions. In some embodiments, multiple software inventions can alsobe implemented as separate programs. Finally, any combination ofseparate programs that together implement a software invention describedhere is within the scope of the invention. In some embodiments, thesoftware programs, when installed to operate on one or more electronicsystems, define one or more specific machine implementations thatexecute and perform the operations of the software programs.

FIG. 33 conceptually illustrates a computer system 3300 with which someembodiments of the invention are implemented. The computer system 3300can be used to implement any of the above-described hosts, controllers,and managers. As such, it can be used to execute any of the abovedescribed processes. This computer system includes various types ofnon-transitory machine readable media and interfaces for various othertypes of machine readable media. Computer system 3300 includes a bus3305, processing unit(s) 3310, a system memory 3325, a read-only memory3330, a permanent storage device 3335, input devices 3340, and outputdevices 3345.

The bus 3305 collectively represents all system, peripheral, and chipsetbuses that communicatively connect the numerous internal devices of thecomputer system 3300. For instance, the bus 3305 communicativelyconnects the processing unit(s) 3310 with the read-only memory 3330, thesystem memory 3325, and the permanent storage device 3335.

From these various memory units, the processing unit(s) 3310 retrieveinstructions to execute and data to process in order to execute theprocesses of the invention. The processing unit(s) may be a singleprocessor or a multi-core processor in different embodiments. Theread-only-memory (ROM) 3330 stores static data and instructions that areneeded by the processing unit(s) 3310 and other modules of the computersystem. The permanent storage device 3335, on the other hand, is aread-and-write memory device. This device is a non-volatile memory unitthat stores instructions and data even when the computer system 3300 isoff. Some embodiments of the invention use a mass-storage device (suchas a magnetic or optical disk and its corresponding disk drive) as thepermanent storage device 3335.

Other embodiments use a removable storage device (such as a flash drive,etc.) as the permanent storage device. Like the permanent storage device3335, the system memory 3325 is a read-and-write memory device. However,unlike storage device 3335, the system memory is a volatileread-and-write memory, such a random access memory. The system memorystores some of the instructions and data that the processor needs atruntime. In some embodiments, the invention's processes are stored inthe system memory 3325, the permanent storage device 3335, and/or theread-only memory 3330. From these various memory units, the processingunit(s) 3310 retrieve instructions to execute and data to process inorder to execute the processes of some embodiments.

The bus 3305 also connects to the input and output devices 3340 and3345. The input devices enable the user to communicate information andselect commands to the computer system. The input devices 3340 includealphanumeric keyboards and pointing devices (also called “cursor controldevices”). The output devices 3345 display images generated by thecomputer system. The output devices include printers and displaydevices, such as cathode ray tubes (CRT) or liquid crystal displays(LCD). Some embodiments include devices such as a touchscreen thatfunction as both input and output devices.

Finally, as shown in FIG. 33, bus 3305 also couples computer system 3300to a network 3365 through a network adapter (not shown). In this manner,the computer can be a part of a network of computers (such as a localarea network (“LAN”), a wide area network (“WAN”), or an Intranet, or anetwork of networks, such as the Internet. Any or all components ofcomputer system 3300 may be used in conjunction with the invention.

Some embodiments include electronic components, such as microprocessors,storage and memory that store computer program instructions in amachine-readable or computer-readable medium (alternatively referred toas computer-readable storage media, machine-readable media, ormachine-readable storage media). Some examples of such computer-readablemedia include RAM, ROM, read-only compact discs (CD-ROM), recordablecompact discs (CD-R), rewritable compact discs (CD-RW), read-onlydigital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a varietyof recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.),flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.),magnetic and/or solid state hard drives, read-only and recordableBlu-Ray® discs, ultra-density optical discs, and any other optical ormagnetic media. The computer-readable media may store a computer programthat is executable by at least one processing unit and includes sets ofinstructions for performing various operations. Examples of computerprograms or computer code include machine code, such as is produced by acompiler, and files including higher-level code that are executed by acomputer, an electronic component, or a microprocessor using aninterpreter.

While the above discussion primarily refers to microprocessor ormulti-core processors that execute software, some embodiments areperformed by one or more integrated circuits, such as applicationspecific integrated circuits (ASICs) or field programmable gate arrays(FPGAs). In some embodiments, such integrated circuits executeinstructions that are stored on the circuit itself.

As used in this specification, the terms “computer”, “server”,“processor”, and “memory” all refer to electronic or other technologicaldevices. These terms exclude people or groups of people. For thepurposes of the specification, the terms display or displaying meansdisplaying on an electronic device. As used in this specification, theterms “computer readable medium,” “computer readable media,” and“machine readable medium” are entirely restricted to tangible, physicalobjects that store information in a form that is readable by a computer.These terms exclude any wireless signals, wired download signals, andany other ephemeral or transitory signals.

While the invention has been described with reference to numerousspecific details, one of ordinary skill in the art will recognize thatthe invention can be embodied in other specific forms without departingfrom the spirit of the invention. For instance, several figuresconceptually illustrate processes. The specific operations of theseprocesses may not be performed in the exact order shown and described.The specific operations may not be performed in one continuous series ofoperations, and different specific operations may be performed indifferent embodiments. Furthermore, the process could be implementedusing several sub-processes, or as part of a larger macro process.

Even though the service insertion rules in several of theabove-described examples provide service chain identifiers, some of theinventions described herein can be implemented by having a serviceinsertion rule provide the service identifiers (e.g., SPIs) of thedifferent services specified by the service insertion rule. Similarly,several of the above-described embodiments perform distributed servicerouting that relies at each service hop identifying a next service hopby performing an exact match based on the SPI/SI values. However, someof the inventions described herein can be implemented by having theservice insertion pre-processor embed all the service hop identifiers(e.g., service hop MAC addresses) as the data message's serviceattribute set and/or in the data message's encapsulating service header.

In addition, some embodiments decrement the SI value differently (e.g.,at different times) than the approaches described above. Also, insteadof performing the next hop lookup just based on the SPI and SI values,some embodiments perform this lookup based on the SPI, SI and servicedirection values as these embodiments use a common SPI value for boththe forward and reverse directions of data messages flowing between twomachines.

The above-described methodology is used in some embodiments to expresspath information in single tenant environments. Thus, one of ordinaryskill will realize that some embodiments of the invention are equallyapplicable to single tenant datacenters. Conversely, in someembodiments, the above-described methodology is used to carry pathinformation across different datacenters of different datacenterproviders when one entity (e.g., one corporation) is a tenant inmultiple different datacenters of different providers. In theseembodiments, the tenant identifiers that are embedded in the tunnelheaders have to be unique across the datacenters, or have to betranslated when they traverse from one datacenter to the next. Thus, oneof ordinary skill in the art would understand that the invention is notto be limited by the foregoing illustrative details, but rather is to bedefined by the appended claims

1. A method for providing services at an edge forwarding element that isat a boundary of a tenant network in a public cloud, the methodcomprising: defining, for the edge forwarding element, a plurality ofvirtual tunnel interfaces (VTIs), each to serve as a tunnel endpoint fora virtual private network (VPN) connection; identifying a first VTI fromthe plurality of the VTIs to perform a service insertion operation for aset of services; configuring the first VTI to perform the serviceinsertion operation for data messages received at the first VTI and todirect a set of the received data messages to a second VTI to receive aservice in the set of services, without configuring the second VTI toperform the service insertion operation for the set of services in orderto avoid having the second VTI identify a service in the set of servicesfor the same received data message.
 2. The method of claim 1, whereinthe second VTI is connected to a service node that performs the servicein the set of services and returns serviced data messages to the secondVTI.
 3. The method of claim 2, wherein the second VTI directs theserviced data messages to the first VTI to be forwarded to thedestination of the serviced data messages.
 4. The method of claim 3,wherein the second VTI is configured to perform a marking operation forserviced data messages received from the service node, the markingoperation identifying the serviced data messages as having had theservice provided in order to avoid the first VTI performing the serviceinsertion operation a second time.
 5. The method of claim 1, wherein thefirst VTI is a first endpoint for a VPN implemented using an internetprotocol security (IPsec) protocol.
 6. The method of claim 5, whereinusing the IPsec protocol comprises receiving encrypted data messages atthe first VTI, and the first VTI performs the service insertionoperations after data messages are decrypted.
 7. The method of claim 1,wherein the service insertion operation performed by the first VTIcomprises: identifying a service insertion rule that applies to the setof received data messages, wherein the identified service insertion ruleapplies to the set of received data messages because a set of datamessage attributes of the set of received data messages match a set ofdata message attributes specified in the identified service insertionrule, and wherein the identified service insertion rule is included in aset of service insertion rules identified as applying at the first VTI;and identifying, based on the identified service insertion rule, (1) theservice in the set of services required by the set of received datamessages and (2) the second VTI as a next hop to which to direct thedata messages to receive the service.
 8. The method of claim 1, whereinthe first VTI is further configured to direct each of a different set ofdata messages to a different interface in the plurality of VTIs of theedge forwarding element to be provided a particular set of services inthe set of services.
 9. The method of claim 8, wherein the plurality ofVTIs of the edge forwarding element comprises a third VTI.
 10. Themethod of claim 8, wherein the plurality of VTIs of the edge forwardingelement comprises an interface connected to a logical service forwardingplane that connects to the edge forwarding element to a plurality ofservice nodes that provide a plurality of service in the set ofservices.
 11. The method of claim 8, wherein the plurality of VTIs ofthe edge forwarding element comprises a set of two interfaces thatconnect to a service node that provides a particular service, and a setof source and destination data link layer addresses is the same for aserviced data message received from the service node and for the datamessage sent to the service node over one of the interfaces in theplurality of VTIs.
 12. A method for providing services at an edgeforwarding element with a plurality of associated virtual tunnelinterfaces (VTIs) that is at a boundary of a logical network, the methodcomprising: at the edge forwarding element: performing a serviceinsertion operation for a set of services on a data message received atthe first VTI that identifies a second VTI to receive the data messagein order to forward the data message to a set of service nodes toperform the set of services; forwarding each data message to theidentified VTI for the data message to receive the required service forthe data message, wherein a service insertion operation for the set ofservices is not performed on the data message for the identified VTI;receiving each serviced data message at the identified VTI for the datamessage, wherein the serviced data message is marked as being serviced;and forwarding each serviced data message to a destination of the datamessage over the first VTI, wherein the first VTI does not provide theservice insertion operation for the serviced data message because it wasmarked as having been serviced.
 13. The method of claim 12, wherein thesecond VTI is connected to a service node that performs the service inthe set of services and returns serviced data messages to the secondVTI.
 14. The method of claim 13, wherein the service node is one of aservice virtual machine and a service appliance.
 15. (canceled)
 16. Themethod of claim 12, wherein the second VTI performs a service insertionoperation for a default service insertion rule that marks data messagesreceived from the service node as having been serviced.
 17. The methodof claim 12, wherein the first VTI is a first endpoint for a VPNimplemented using an internet protocol security (IPsec) protocol, andusing the IPsec protocol comprises receiving encrypted data messages atthe first VTI, and the first VTI performs the service insertionoperations after data messages are decrypted.
 18. The method of claim17, wherein the first VTI is an endpoint for a plurality of IPsectunnels.
 19. The method of claim 12, wherein the set of services is afirst set of services and the edge forwarding element has a plurality ofvirtual interfaces, the method further comprising: at the edgeforwarding element: performing, for the first virtual tunnel interface(VTI), a service insertion operation for the set of services on receiveddata messages directed out of the first VTI to identify other interfacesin the plurality of virtual interfaces to which to direct the receiveddata messages to receive a required set of services in the first set ofservices for the data message; forwarding each data message to theidentified virtual interface for the data message to receive therequired set of services for the data message, wherein a serviceinsertion operation for the set of services is not performed on the datamessage for the identified virtual interface; receiving each serviceddata message at the identified virtual interface for the data message,wherein the serviced data message is marked as being serviced; andforwarding each serviced data message to a destination of the datamessage over the first VTI, wherein the first VTI does not provide theservice insertion operation for the serviced data message because it wasmarked as having been serviced.
 20. The method of claim 19, wherein theservice insertion operation performed by the first VTI for the first setof services on a particular received data message comprises: identifyinga service insertion rule that applies to the particular data messages,wherein the identified service insertion rule applies to the particulardata messages because a set of data message attributes of the particulardata messages match a set of data message attributes specified in theidentified service insertion rule, and wherein the identified serviceinsertion rule is included in a set of service insertion rulesidentified as applying at the first VTI; and identifying, based on theidentified service insertion rule, (1) the required set of services forthe particular data message and (2) a virtual interface in the pluralityof virtual interfaces as a next hop to which to direct the particulardata message to receive the required set of services.
 21. The method ofclaim 20, wherein each service insertion rule in the set of serviceinsertion rules identifies a set of interfaces of the edge forwardingelement to which it applies.